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1.0 MANAGEMENT COMMITMENT AND PHILOSOPHY 
1.1 Safety and Security Policy Statement 

It is the policy of the California High-Speed Rail Authority (Authority) to perform work on the California 
High-Speed Train Project (CHSTP) in a manner that ensures the safety and security of employees, 
contractors, emergency responders, and the public. The application of system safety and security 
comprises a fundamental hazard and vulnerability management process that incorporates the 
characteristics of planning, design, construction, testing, operational readiness, and subsequent operation 
of the high-speed rail system. Safety and security are priority considerations in the planning and 
execution of all work activities on the CHSTP. 

All trains, facilities, systems and operational processes must be designed, constructed, and implemented 
in a manner that promotes the safety and security of persons and property. The design, construction, 
testing, and start-up of the CHST System will comply with applicable safety and security laws, regulations, 
requirements and railroad industry practices. The Authority will maintain or improve upon the public 
transit and railroad industry standards for safety and security. Through the Reliability, Availability, 
Maintainability, and Safety (RAMS) Program a standard of safety will be established that is as safe as or 
safer than conventional U.S. railroad operations. The design, construction, testing, and start-up of the 
CHST System will be accomplished in compliance with this standard. 

The Authority is committed to providing a safe and secure travel and work environment. Therefore, safety, 
accident prevention, and security breach prevention must be incorporated into the performance of every 
employee task. All Authority, Program Management Team, and contractor personnel, subcontractors and 
employees are charged with the responsibility for ensuring the safety and security of employees, 
contractors, emergency responders, and the public who come in contact with the CHST System. Each 
individual and organization is responsible for hazard and vulnerability management, for applying the 
processes that are designed to ensure safety and security, and for maintaining established safety and 
security standards, consistent with their position and organizational function. Through a cooperative team 
effort and the systemic application of safety and security principles, the CHST System will be designed, 
constructed, tested, and placed into service in a safe and secure manner. 


Roe I of van Ark 

-Chief Executive Officer 

California High-Speed Rail Authority 


1.2 Background 

The Federal Railroad Administration (FRA) requires that the Authority implement safety and security 
principles and processes throughout the CHSTP. Absent federal regulations that govern the completion of 
major capital projects, the Federal Railroad Administration looks to the Federal Transit Administration 
(FTA) regulations for guidance. Federal Transit Administration (FTA) regulations found at 49 CFR 633 
requires the development of a Project Management Plan (PMP) for every major capital transit project. As 
described in FTA Circular 5800.1 Safety and Security Management Guidance for Major Capital Projects, 
(dated 8I'\I07) a Safety and Security Management Plan (SSMP) is the element of the PMP that manages 
project safety and security activities, responsibilities, and verification processes throughout the project life 
cycle. This document fulfills the FRA requirement for managing safety and security in the execution of 
the CHSTP. 
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The SSMP does not carry over into revenue operations, but wiii iead to deveiopment of a System Safety 
Program Pian (SSPP) and Security and Emergency Preparedness Pian (SEPP) to govern safety and 
security for the operating system prior to the start of revenue service. The FRA is in the process of 
promuigating reguiations that require the appiication of a SSPP to passenger raiiroad operations. 

1.3 Purpose of the SSMP 

The SSMP formaiizes the technicai and management strategies for determining safety and security risk 
acceptance throughout the CHSTP iife cycie, from the design phase through the start of revenue service 
and is appiied to each segment undertaken in turn. The SSMP defines the process for identifying, 
evaiuating, and resoiving safety hazards and security vuinerabiiities associated with future raiiroad 
operations of the Project prior to the start of revenue service. This process heips to ensure the 
achievement of the highest practicai ievei of operationai safety and security for the riding pubiic, the 
empioyees, and anyone coming into contact with the CHST system. 

The purpose of the SSMP is to define the safety and security activities of the CHSTP and methods for 
identifying, evaiuating, and resoiving potentiai safety hazards and security vuinerabiiities of the CHST 
system. It estabiishes responsibiiity and accountabiiity for safety and security during the preiiminary 
engineering, finai design, construction, testing, and start-up phases of the CHSTP. Specificaiiy, the 
SSMP does the foiiowing: 

• Estabiishes the Authority's commitment and phiiosophy to achieve the highest practicai ievei of safety 
and security for the Authority’s staff. Project Management Team (PMT) staff, contractors, emergency 
responders, and members of the pubiic that come into contact with the CHST system 

• Estabiishes and manages safety and security activities intended to minimize risk of injury and 
property damage, and to maximize the safety and security for the Caiifornia High-Speed Raii 
passengers, empioyees, and the pubiic 

• Integrates the safety and security functions and activities throughout the CHSTP and its 
organizationai structure 

• Defines the safety and security responsibiiities between the Authority and CHSTP design, 
construction, and start-up teams 

• Defines the process for the documentation and verification of safety and security activities 

• Evaiuates project phases and activities to ensure continued deveiopment and advancement of safety 
and security principies 

• Estabiishes the framework for construction safety and security 


1.4 Applicability and Scope of SSMP 

The SSMP is appiicabie to aii phases of the CHSTP, from preiiminary engineering through finai design, 
construction, testing and the start of revenue service. The SSMP encompasses aii equipment, 
infrastructure, operating and maintenance pians and procedures associated with the CHST system. 

1.4.1 Project Description 

The Caiifornia High-Speed Train Project wiii construct a state-of-the-art, statewide, high-speed 
performance passenger raiiroad based on operating practices and designs of existing high-speed raii 
networks in Europe and Asia which have had extraordinary performance and safety records. The CHST 
system wiii require certification by federai and other reguiatory agencies which have indicated they are 
open to approaches which provide equivaient or better safety than existing raii reguiations in the United 
States. The Authority’s eventuai goai is to deveiop a system of more than 800 route miies that provides 
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high-speed rail service between the major metropolitan centers of the San Francisco Bay Area and 
Sacramento in the north, through the Central Valley, to Los Angeles, Anaheim, Irvine and San Diego in 
the south. 

The CHST system will operate at speeds up to 220 mph within its dedicated or shared-use corridors 
where the CHST system has sole use of a track, and up to 125 mph in shared-use conditions where there 
is joint use of tracks with other passenger trains. There will be no joint use of tracks with freight trains on 
shared-use tracks. Freight operations, where applicable, will be temporally separated. No hazardous 
materials will be transported or permitted to be transported by others on Authority dedicated tracks. 

The service will use high-speed steel-wheel on steel-rail technology which has been service-proven in 
Asia and Europe and provides a high level of service in terms of safety, comfort, and reliability. The 
system will operate on a mostly dedicated, fully grade-separated standard gage track with electric trains 
powered through the use of an overhead contact system. The right-of-way will make use of tunneling and 
elevated structures to achieve an ideal alignment and profile. Automotive, animal, other railroad and non¬ 
railroad equipment crossings will be accomplished by means of an underpass or overpass. 

The system will include an Automatic Train Control (ATC) system based on designs for similar high-speed 
environments in Europe and Asia, modified only where necessary to meet regulatory requirements and 
functional and performance needs specific to the CHST system. The ATC system will cover all functions 
of a train control system including both safety critical and non-safety critical operations and will 
incorporate Positive Train Control in compliance with FRA regulations. A hazard detection system will be 
applied throughout the CHST system to alert the operating control center of natural events such as 
seismic activity, excessive wind speeds, high water levels, and excessive ambient temperature levels that 
trigger a system response; and other events such as vehicle or rail car intrusion, and trespassers. 

Although Preliminary Engineering Phase activities will occur simultaneously for the entire system, the 
Final Design and Construction Phase activities will be developed in geographic segments, due to the size 
of the eventual system. The Initial Construction Segment (ICS) has been designated as a point north of 
Fresno to a point north of Bakersfield. Subsequent segments will extend north and south from the ICS. 

The Initial Operating Segment (lOS) will encompass several construction segments into what is termed 
“Bay To Basin”, providing high-speed rail service from the greater San Francisco Bay Area to the greater 
Los Angeles Basin. 

1.4.2 SSMP Scope 

This SSMP encompasses the following equipment, facilities, plans, and procedures as they relate to the 
Project. 

• System-Wide Elements - includes the passenger vehicles, train control and signaling, voice and data 
communications, closed-circuit television cameras and recorders, overhead contact system, traction 
power substations, track, and auxiliary vehicles and equipment 

• Fixed Facilities - includes rail stations, pedestrian overpasses and underpasses, highway overpasses 
and underpasses, aerial and other structures, operations and administrative facilities, and the Central 
and Regional Control Facilities. 

• Safety and Security Plans and Procedures - includes items such as Safety and Security Certification 
Plan (SSCP), Safety and Security related Design Criteria, Passenger Train Emergency Preparedness 
Plan (PTEPP), System Safety Program Plan (SSPP), and Security and Emergency Preparedness 
Plan (SEPP). 

• Procedures and Instructions - includes items such as: Operations and Maintenance procedures, 
rulebooks and manuals; and training programs for operating, maintenance and management 
employees, employee qualifications, contractor training, and emergency responder training. 
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1.5 SSMP Goals and Objectives 

1.5.1 Goals 

The goals of the SSMP are as follows: 

• Achieve an acceptable level of risk through a systematic approach to hazard and threat/vulnerabilltles 
management 

• Ensure that the system Initiated Into revenue service Is safe and secure for passengers, employees, 
emergency response personnel, and the general public through a formal program of safety and 
security certification 

• Ensure that the design, acquisition, construction, fabrication. Installation, and testing of critical 
elements of the CHST system will be verified for conformance with the established safety and 
security requirements and validated for effectiveness In achieving an effective level of safety and 
security 

• Ensure that a mechanism Is provided to follow to completion the resolution of any restriction to full 
safety and security certification 

• Establish an effective, proactive Construction Safety and Security Program that results In no 
accidents for construction employees and the public, as well as minimizes security breaches, during 
all CHSTP work activities 

1.5.2 Objectives 

The SSMP goals will be achieved by meeting the following objectives: 

• Identifying, evaluating, resolving, and documenting safety hazards and security vulnerabilities at the 
earliest possible phase of the CHSTP 

• Establishing specific safety and security requirements for the CHST System based on applicable 
safety and security regulations, codes, standards, guidelines, and recognized best practices 

• Verifying that all final drawings, specifications, and contracts issued for the CHSTP conform to the 
established safety and security requirements 

• Implementing CHSTP construction safety and security programs in conformance with established 
construction safety and security requirements and complying with the California Occupational Safety 
and Health Administrative safety regulations for construction projects 

• Verifying all CHST system facilities, systems, and equipment have been designed, built, procured, 
installed, inspected, and tested in accordance with the design criteria and specifications 

• Establishing and documenting the qualifications and training programs for all personnel who will 
operate and maintain the CHST system in revenue service 

• Verifying completion of training of personnel who will respond to emergencies, including CHST 
system personnel and emergency responders, on the CHST system emergency procedures, 
equipment, and operations 

• Conducting and documenting, through after-action reports, emergency exercises and drills prior to the 
start of revenue service 

• Documenting safety, security, and emergency rules and procedures for CHST system employees, 
staff, and contractors in the form of rulebooks, standard operating procedures, emergency operating 
procedures, and other documents 
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• Maintaining a process to manage and track open safety and security issues resuiting from design 
deviations, change orders, and non-conformances from inception through ciosure and acceptance 

• Documenting finai Safety and Security Certification for the CHSTP by means of a Finai Safety and 
Security Certification Verification Report prior to piacing any segment of the CHST system into 
revenue service 

• Ensuring coordination with the Federai Raiiroad Administration, Caiifornia Pubiic Utiiities 
Commission, the Transportation Security Administration, the State Fire Marshai’s Office, and other 
externai agencies as appiicabie 

1.6 SSMP Review and Updates 

The SSMP wiii be reviewed at ieast annuaiiy, whenever the Program Management Pian or other 
reference documents are modified, and foiiowing any SSMP audit to ensure the safety and security 
management program remains current and appiicabie. If revised, the SSMP wiii be re-issued to aii SSMP 
recipients. The SSMP wiii be updated to reflect changes in the CHSTP or System, the PMT, or the safety 
and security management program itseif. The review and update process wiii be the responsibiiity of the 
PMT with the oversight and coordination of the PMT System Safety Manager. 

1.7 SSMP Applicability to Third Parties 

The safety and security requirements for third party assets (adjacent infrastructure or operations, shared- 
use corridors, utiiity interfaces, etc) wiii be deveioped foiiowing the safety and security management 
program of the appiicabie third party but in conformance to the processes and requirements of this 
SSMP. Safety and security certification of third party eiements shaii conform to the Safety and Security 
Certification Program requirements of the third party and Section 7.0 of this SSMP. 
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2.0 INTEGRATION OF SAFETY AND SECURITY INTO THE CHSTP 
DEVELOPMENT PROCESS 

2.1 Safety and Security Activities 

This section describes the safety and security activities that have been or wiii be performed during the 
major phases of the project. A iist of the basic activities and the desired miiestone goais are presented in 
Tabie 2-1. The Caiifornia High-Speed Train Project has four phases: 

• Preiiminary Engineering 

• Finai Design 

• Construction 

• Testing and Startup of Revenue Operations 

Within each phase of the CHSTP, activities are identified to determine the safety- and security-reiated 
certification activities expected to be accompiished at each project miiestone. The Caiifornia High-Speed 
Raii Authority wiii appiy a detaiied safety and security certification program through the assistance of the 
Program Management Team (PMT). The safety and security certification program, as described in 
Section 7.0 of this Safety and Security Management Plan, wiii ensure that the project achieves aii safety 
and security requirements in design criteria and specifications and that the safety and security contents of 
the pians, procedures, and training materiais are systematicaiiy reviewed and revised as required. 

Leading up to and through the Preiiminary Engineering phase of the project, the safety and security 
activities encompass the foiiowing activities: 

• Deveiop the SSMP, inciuding a process for achieving safety and security certification, to meet aii 
Federai Raiiroad Administration (FRA) requirements for a safety and security management pian in a 
major capitai project, in conformance with the Federai Transit Administration’s Circuiar 5800.1 Safety 
and Security Management guidance for Major Capital Projects. 

• Deveiop a iist of safety-criticai and security-criticai eiements and items for the CHSTP Preiiminary 
Hazard Anaiyses. 

• Specify safety and security certification requirements, in conformance with the CHSTP Verification 
and Validation Plan, in contract documents. Safety and security certification requirements wiii be part 
of the scope of work for the design/buiid contractors during the Finai Design and Construction phases 
of the project, with oversight provided by the PMT. 

• Impiement a hazard and certification tracking system, to be deveioped by the PMT’s System Safety 
Manager working with the PMT’s Verification and Vaiidation Manager. 

• Perform Preiiminary Hazard Anaiyses (PHA) and a Threat and Vuinerabiiity Assessment (TVA) to 
identify certifiabie eiements and hazards/vuinerabiiities requiring mitigation. Identify 
hazard/vuinerabiiity mitigation from the PHA and TVA to be incorporated into preiiminary and finai 
designs. Perform additionai anaiysis as required. 

• Deveiop design criteria conformance checkiists. The tracking system wiii be an integrated subset of 
the Verification & Vaiidation program appiied throughout the CHSTP. 


Page 6 


HSR 13-06 - EXECUTION VERSION 


Table 2-1 Project Safety and Security Activities Matrix 


Task 


Project Phase 

No. 

Safety and Security Task 

Prelim. 

Engr. 

Final 

Design 

Construction 

Testing 

and 

Startup 

1 

Develop Safety and Security Management Plan (SSMP) 

V 

=> 

=> 

=> 

2 

Identify Certifiable Elements and Items 

V 

=> 


=> 

3 

Specify Safety and Security Certification Requirements into 
Contract Documents 

V 

=> 



4 

Implement Certification Tracking System 

V 

=> 

=> 

=> 

5 

Conduct Preliminary Hazard Analysis (PHA) and Threat and 
Vulnerability Assessment (TVA) and Resolve Unacceptable 
Hazards and Vulnerabilities 

V 


=> 


6 

Develop Design Criteria Conformance Checklists 

V 

=> 



7 

Conduct Independent Safety and Security Audits 


V 

=> 

=> 

8 

Verify Design Criteria Conformance Checklists and Issue 
Certificates 


V 

=> 


9 

Develop Construction Specification Conformance 

Checklists 


V 

=> 


10 

Develop Safety-Related Testing Conformance Checklists 



V 

=> 

11 

Verify Specification Conformance Checklists 



V 

=> 

12 

Verify Safety-Related Testing Conformance Checklists 




V 

13 

Verify Operations and Maintenance Manuals Conformance 



V 

=> 

14 

Complete Contractor Training 



V 

=> 

15 

Complete Rules and Procedures and Issue Certificates 



V 

=> 

16 

Complete Operations Training and Issue Certificates 




V 

17 

Complete Emergency Services Training 




V 

18 

Complete Emergency Response Exercises 




V 

19 

Issue Final Safety and Security Certification 




V 

20 

Issue Final Safety and Security Certification Verification 
Report 




V 


Note: Activities initiated in project phases after PE are preliminary and will be revised for the FD submission of the 

SSMP. 

V = Task activity initiated. 

=> = Task activity updated 
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Activities 1 through 20 in Tabie 2-1 (Project Safety and Security Activities Matrix) are a projection of 
activities that wiii be initiated and be active in the iater project stages. 

2.2 Procedures and Resources 

2.2.1 Procedures 

A Project Management Plan (PMP) for the project has been prepared. The PMP estabiishes the 
framework for managing and administering aii activities reiated to impiementation of the project and 
provides guidance for the coordination of activities. The PMP describes that the PMT is responsibie for 
the basic design of the high-speed raii system, ensuring that common approaches for the environmentai 
and outreach work are used through the entire aiignment, preparing and heiping execute bid and 
procurement processes for design, construction, maintenance, and operations, and managing the work of 
or coordinating with a variety of other consuitants to the Authority, notabiy the Regionai Consuitants (RC). 

A major component of the PMP is this Safety and Security Management Plan, describing processes for 
identifying and managing hazards and vuinerabiiities associated with the CHST system. It is the 
responsibiiity of the Authority and the PMT to ensure that the management of identified safety hazards 
and security threats and vuinerabiiities is effective and integrated throughout the design, construction, 
testing, and startup phases of the CHSTP. 

The Verification and Validation Process will be applied throughout the CHSTP for the purpose of tracking 
and verifying that critical elements are incorporated into all project phases. Critical elements include 
safety-critical and security-critical elements as identified though the hazard management processes 
identified in this SSMP. 

2.2.2 Resources 

The Authority Executive Officer authorizes the SSMP, ensuring that it is applied throughout the CHSTP. 
The PMT System Safety Manager administers and oversees the SSMP, supported by the rest of the 
Program Management Team. The Authority and PMT will provide additional safety and security 
management resources for executing the project safety and security activities during the Preliminary 
Engineering phase. Further resources and responsibilities will be identified as the project progresses into 
later phases, culminating in startup and commissioning. 

The budget and schedule for implementation of the SSMP is revised each year and is held with the PMT 
Program Director. This assures that the requirements of the SSMP are executed by the PMT and RCs 
during the Preliminary Engineering phase, and by the PMT in subsequent phases of the project. This 
includes, but is not limited to, the performance of safety analyses and security assessments at the 
appropriate phases of the project; implementation of a Safety and Security Certification Program 
beginning at Preliminary Engineering and continuing through each subsequent phase of the project; and 
a process to ensure that safety issues and security concerns are addressed and tracked to resolution. 

2.3 Interfacing with Management 

The California High-Speed Rail Authority Executive Director through the PMT Program Manager has the 
ultimate decision-making authority for safety and security issues and is responsible for communication of 
safety and security issues to the Authority Board of Directors. The PMT System Safety Manager will 
oversee the overall implementation of the safety and security program and will report to the Safety and 
Security Project Committee the progress and challenges in its implementation. The Safety and Security 
Project Committee will communicate the safety and security issues to the Authority executive 
management through reports to the Safety and Security Executive Committee. The PMT System Safety 
Manager will be supported by the PMT Security Manager. 

Successful implementation of the SSMP will also require significant interaction between various members 
of the Authority, the Program Management Team, Regional Consultants, Engineering/Construction 
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Managers, and Emergency Response Agencies. These interactions wiii occur during reguiariy scheduied 
meetings of the Safety and Security Project Committee that focus on the safety and security aspects of 
the project. 

During the Finai Design phase, the reiationships from project ieadership to design/buiid contractors and 
subcontractors regarding safety and security issues wiii be identified. 
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3.0 SAFETY AND SECURITY RESPONSIBILITIES 

3.1 Roles and Responsibilities 

The California High-Speed Rail Authority (Authority) is responsible for developing a high-speed train 
system in California in a safe and secure manner, including ensuring that all trains, facilities, systems and 
operational processes are designed, constructed, and implemented in a manner that promotes the safety 
and security of persons and property. The Authority has the ultimate authority and responsibility for the 
implementation of the Safety and Security Management Plan (SSMP) for this project. The Authority is 
tasked to prepare a plan and design for the system, conduct environmental studies and obtain necessary 
permits, and undertake the construction and operation of a high-speed train passenger network in 
California. These tasks are collectively referred to as the California High-Speed Train Project. 

The Federal Railroad Administration (FRA) is the lead agency for the Federal Environmental Impact 
Statement. The FRA is also the primary regulatory agency responsible for approving and certifying the 
system safety and security aspects of the CHST system. At the state level, the California Public Utilities 
Commission has specific responsibilities within the system safety and security program and the electric 
power system that affects the CHST system. 

The Authority has contracted with Parsons Brinckerhoff (PB) as the Program Management Team (PMT), 
and five Regional Consultant (RC) teams to conduct the preliminary engineering on specific segments of 
the line and provide overall Program Management for the CHSTP. The Authority’s primary vehicle for 
oversight of the safety and security activities is the Safety and Security Executive Committee (explained 
in detail in Section 3.3.1). 

The PMT is responsible for the basic design of the high-speed train system, including ensuring that 
system safety and security is applied consistently and effectively for the environmental work, in the 
preparations in helping execute bid and procurement processes for design used, in construction, 
maintenance, and operations, as well as managing the work of or coordinating with a variety of other 
consultants to the Authority, notably Regional Consultants. The Program Management responsibilities will 
be carried out through the entire CHST system alignment and across all phases of the project. 

Led by the PMT Program Director, the Program Management Team will be responsible for the application 
of safety and security in all aspects and phases of the project. The PMT Program Director will delegate 
the authority for managing the SSMP processes to the PMT System Safety Manager and PMT Security 
Manager, with support from the Program Deputy Directors, Discipline Managers, and Regional Managers. 
This support will ensure that other individual project staff members perform in accordance with the SSMP 
in establishing and overseeing the safety and security management tasks. The PMT’s primary vehicle for 
oversight of the safety and security activities is the Safety and Security Project Committee (explained in 
detail in Section 3.3.2). 

Staff members assigned to the CHSTP by the Authority, PMT, contractors, consultants, emergency 
response agencies, FRA and CPUC are responsible for ensuring that the design, construction, 
installation, and testing of all safety-critical and security-critical system elements of the project are 
evaluated for conformance with the safety and security requirements and verified for operational 
readiness before completing each phase of the project. 

Refer to Figure 3-1 for the CHSTP organizational chart for safety and security activities. 

The PMT acts as the Authority’s representative in the management of safety and security in the CHSTP. 
This SSMP shall be updated to reflect any significant changes in the organizational structure or definition 
of responsibilities with respect to safety and security in the CHSTP. 

Figure 3-1 CHSTP Organization for Safety and Security Activities 
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AUTHORITY 
EXECUTIVE STAFF 



3.2 Authority Organization 

The Authority has a nine-member poiicy board and a smaii core staff, supported by contract with private 
firms (the Program Management Team, Regionai Consuitants and other speciaity firms) to carry out the 
project’s system safety and security programs, environmentai studies, project pianning and engineering 
work under the supervision and guidance of Authority staff. 

The project organization wiii remain in piace throughout the CHSTP deveiopment process; however, the 
composition of the project organization may be revised to respond appropriateiy to the changing project 
needs as the project proceeds through from the preiiminary engineering phase through to the start of 
revenue service. The Authority project organization during the initiai project phases is composed of 
Authority and Program Management Team staff suppiemented by Regionai Consuitant staff. In each 
phase, the Authority wiii use the assistance of the PMT to manage aii project-reiated activities, as weii as 
further assistance from professionai engineering and other project management consuiting firms. 
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The current California High-Speed Rail Authority organization is shown in Appendix A. 

3.2.1 Authority Executive Director 

The Authority Executive Director oversees and directs the management of all Authority staff and the 
Program Management Team. The day-to-day management of the California High-Speed Train Project is 
the functional responsibility of the PMT Program Director under the direction of the Authority Executive 
Director. The Authority Executive Director ensures that Authority resources are allocated to meet the 
SSMP goals and objectives, and is ultimately responsible for execution of the Safety and Security 
Management Plan through the Program Director and PMT. The Executive Director reports to the 
Authority Board of Directors. 

3.2.2 PMT Program Director 

The PMT Program Director is responsible for the management of the California High-Speed Train Project, 
including system safety and security, throughout all phases of the project. The PMT Program Director will 
have a direct line of reporting to the Authority Executive Director. 

The PMT Program Director serves on the Safety and Security Executive Committee and is responsible for 
ensuring that the PMT actively participates in and supports the safety and security activities of the 
CHSTP. 

3.2.3 PMT System Safety Manager 

The PMT System Safety Manager will report through the PMT O&M Manager to the PMT Program 
Director. The PMT System Safety Manager will coordinate safety activities with the PMT Security 
Manager, PMT Discipline Managers, and chair the Safety and Security Project Committee (SSPC). The 
PMT System Safety Manager will also sit on the Safety and Security Executive Committee (SSEC) to 
ensure that safety and security are not compromised by other priorities of the design and construction 
teams. 

The PMT System Safety Manager has the authority and responsibility for, but is not limited to the 
following: 

• Ensuring that the SSMP requirements and processes are being implemented and that SSMP goals 
and objectives are being achieved 

• Performing hazard analyses of CHST system design criteria to determine any potential hazards that 
may be created by system development, expansion or modification, and supporting the development 
of mitigating and controlling factors to address such hazards 

• Participating in the project design reviews, including overseeing and administering formal safety and 
security certification programs 

• Working with PMT engineering, operations and maintenance staff to ensure that the system is being 
designed to safety and security criteria 

• Developing corrective action plans (CAPs) that result from accident/incident investigations, hazard 
analyses, certification of Certifiable Items List (CIL) and safety and security reviews and audits; and 
tracking corrective actions through closeout to ensure that all identified deficiencies are adequately 
mitigated or controlled 

• Providing oversight for the contractors’ job site safety and programs 

• Reviewing and approving site-specific work plans (SSWPs) 

• Investigating accidents and incidents on behalf of the Authority, when requested 

• Reporting unacceptable hazardous conditions to executive management as soon as possible 
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3.2.4 PMT Security Manager 

The PMT Security Manager will report through the PMT O&M Manager to the PMT Program Director. 
The PMT Security Manager will coordinate security activities with the PMT Safety Manager, PMT 
Discipline Managers, and sit on the Safety and Security Project Committee (SSPC). The PMT Security 
Manager will also sit on the Safety and Security Executive Committee (SSEC) to ensure that safety and 
security are not compromised by other priorities of the design and construction teams. 

The PMT Security Manager has the authority and responsibility for, but is not limited to, the following: 

• Ensuring that the SSMP requirements and processes are being implemented and that SSMP goals 
and objectives are being achieved 

• Performing threat assessments of CHST system operating environments and design criteria to 
determine any potential vulnerabilities that may be created by system development, expansion or 
modification, and supporting the development of mitigating and controlling factors to address such 
vulnerabilities 

• Participating in the project design reviews, including overseeing and administering formal safety and 
security certification programs 

• Working with PMT engineering, operations and maintenance staff to ensure that the system is being 
designed to safety and security criteria 

• Developing corrective action plans (CAPs) that result from accident/incident investigations, hazard 
analyses, certification of Certifiable Items List (CIL) and safety and security reviews and audits; and 
tracking corrective actions through closeout to ensure that all identified deficiencies are adequately 
mitigated or controlled 

• Providing oversight for the contractors’ job site security programs 

3.2.5 Other PMT Managers 

The managers of the following PMT disciplines will be responsible for implementing the SSMP 
requirements and process in their respective areas, participating in the SSPC and for supporting the PMT 
System Safety and Security Manager as required: 

• Engineering, including Infrastructure and Systems 

• Operation and Maintenance 

• Rolling Stock 

• Integration and Regulatory Approvals 

• Project Risk 

• Contracts and Procurement 

• Verification and Validation 

3.3 Committee Structure 

Chapter 2 of the PMP describes the function of various project committees. In addition, various safety and 
security committees listed below will be established to facilitate review of issues and to provide a forum 
for discussion and resolution. 
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3.3.1 Safety and Security Executive Committee 

The Safety and Security Executive Committee and its members wiii ensure that the CHST system is 
designed, buiit, and impiemented in a safe and secure manner. The SSEC wiii achieve this goai by 
providing oversight of the appiication of the SSMP through aii phases of the CHSTP and to act as a 
conduit to informing and assuring Authority executive management of safety and security issues affecting 
the project. 

The Safety and Security Executive Committee wiii address safety and security issues which are Authority 
poiicy considerations, require Authority approvai, require Authority direction for resoiution of a dispute, or 
constitute finai acceptance of Safety and Security Certification. 

The duties and responsibiiities of the Safety and Security Executive Committee are as foiiows: 

• Approve the initiai version of the SSMP and subsequent updates 

• Oversee the appiication of the SSMP through aii CHSTP phases 

• Authorize the estabiishment of the Safety and Security Project Committee (SSPC) 

• Review and approve reguiar reports of safety and security activities from the SSPC 

• Resoive safety and security issues that cannot be resoived at the SSPC ievei 

• Review and approve safety and security certification Certificates of Conformance and a finai 
Certification Verification Report prior to the advancement into the next project phases 

• Provide a forum for safety and security discussions among Authority and PMT Executive 
Management 

The Safety and Security Executive Committee is comprised of the foiiowing persons: 

• Authority Executive Director (Chairperson) 

• Authority Safety and Security Staff 

• PMT Project Director 

• PMT System Safety Manager (Committee Secretary) 

• PMT System Security Manager 

The Chairperson of the SSEC is the Authority Executive Director or a designated Authority executive 
management representative. If a designated member of the SSEC is unabie to attend a SSEC meeting, 
they must assign an appropriate representative. 

3.3.2 Safety and Security Project Committee 

Working at the project deiivery ievei, the Safety and Security Project Committee wiii ensure that the CHST 
system is designed, buiit, and impiemented in a safe and secure manner. The SSPC wiii achieve this 
goai by providing oversight of the appiication of the SSMP through aii phases of the CHSTP and to act as 
a conduit to informing and assuring Authority executive management (through the Safety and Security 
Executive Committee) of safety and security issues affecting the project. 

The Safety and Security Executive Committee wiii address safety and security issues which are directed 
to it by the Safety and Security Executive Committee, require PMT resoiution, require eievation to the 
SSEC for Authority direction for resoiution, or constitute preiiminary review and approvai of Safety and 
Security Certification. 

The duties and responsibiiities of the Safety and Security Project Committee are as foiiows: 
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• Recommend to the Safety and Security Executive Committee (SSEC) the initiai version of the SSMP 
and subsequent updates 

• Oversee the appiication of the SSMP through aii CHSTP phases 

• Review and approvai of PHAs and TV As as they are deveioped or updated 

• Tracking of identified hazards or vuinerabiiities iisted on Certified Eiements and Hazards List using 
the V&V Requirements Management Tooi database 

• Provide reguiar reports of safety and security activities to the SSEC 

• Forward to the SSEC for resoiution any safety and security issues that cannot be resoived at the 
SSPC ievei 

• Review and approve safety and security certification Certificates of Conformance and a Finai 
Certification Verification Report 

• Forward Certificates of Conformance and a finai Certification Verification Report to SSEC for 
Authority acceptance prior to the start of appiicabie testing phases or startup of revenue service 

• Provide a forum for safety and security discussions among PMT staff members and a conduit for 
safety and security issues to the Authority through the SSEC 

The Safety and Security Project Committee is comprised of the foiiowing persons: 

• PMT System Safety Manager (Committee Chairperson) 

• PMT System Security Manager 

• PMT O&M Manager 

• EMT Discipiine Managers 

• PMT Verification & Vaiidation Manager 

• PMT Contracts Manager 

• PMT Project Risk Manager 

• PMT RAMS Manager 

If a designated member of the SSPC is unabie to attend a SSPC meeting, they must assign an 
appropriate representative. 

3.3.3 Fire Life Safety and Security Committees (FLSSC) 

The Fire/Life Safety and Security Committees (FLSSC) wiii be composed of representatives from fire, 
poiice and iocai buiiding code agencies assigned to two ieveis of standing committees: a system FLSSC 
and severai regionai FLSSC working on a iocai ievei. The project wiii form the FLSSC during the PE 
phase of the project. The purpose of the FLSSC wiii be to review issues that are criticai to fire and iife 
safety and security, to acquire input and concurrence from the state and iocai authorities having 
jurisdiction over the proposed designs to meet code requirements, and to ensure compiiance with state 
and iocai fire code standards or fire/iife safety hazard mitigation measures during the design phase. As 
the project moves into the Testing and Startup Phase the FLSSC wiii review operating pians and 
procedures, resuits of after-action reviews foiiowing major emergency response incidents or exercises, 
and training programs for content appropriateness and effectiveness. 

The singie system FLSSC wiii focus on systemic, high-ievei, fire/iife safety and security issues, inciuding 
federai and state codes or requirements impacting the regionai efforts. A goai of the system FLSSCs is 
to obtain concurrence from federai and state authorities with respect to fire/iife safety and security 
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concerns. The system FLSSC will include a representative from each regional FLSSC as well as 
representatives from state and federal agencies such as the California Highway Patrol, Office of 
Emergency Services, the California Emergency Management Agency, CPUC, FRA, and DHS. The 
system FLSSC will be co-chaired by the PMT Safety and Security Managers. Meetings will be held 
regularly in Sacramento with agendas, minutes, and other support materials supplied by the committee 
co-chairs. Minutes and action items from the meetings will be conveyed to the regional FLSSC’s and to 
the Safety and Security Project Committee for their consideration 

Regional FLSSC will focus on the CHSTP characteristics specific to their corridor segments (type/length 
of underground and elevated structures, access methods, terminals, etc) to provide input with respect to 
local building codes or requirements that are in line with the emergency response characteristics and 
capabilities of the local agencies. A goal of the regional FLSSC is to obtain concurrence from local 
authorities having jurisdiction over the proposed designs to meet code requirements. The regional 
FLSSC will be comprised of appropriate representatives (e.g.. Fire Marshal) from local emergency 
response agencies (fire, police, EMT) and will be co-chaired by the PMT Safety and Security Managers. 
Meetings will be held regularly at a location local to the regional corridor, with agendas, minutes, and 
other support materials supplied by the committee co-chairs. Minutes and action items from the meetings 
will be conveyed to the system FLSSC and to the Safety and Security Project Committee for their 
consideration. One representative from each regional FLSSC will be asked to participate in the system 
FLSSC. Consistent membership is critical to success. Each regional representative must be the same 
representative attending to System FLSSC matters and reporting results to their specific Regional 
Committee. 

3.3.4 Program Change Control Board 

Change control for the CHSTP will be in conformance with PC2.04 Program Change Control Procedure. 
The procedure includes a Change Control Board made up of Authority, PMT, and PMO representatives 

3.4 Rail Activation Committee (RAC) 

The Rail Activation Committee (RAC) will coordinate planning and process development efforts for the 
operational testing of the system and eventual startup of revenue service. The RAC will be multi¬ 
disciplinary in scope and will be established during the latter stages of the Construction Phase. 

3.5 System Integration Testing Committee (SITC) 

The System Integration Testing Committee (SITC) will coordinate the development of an integrated 
testing program. The SITC will plan for the effective and efficient testing of subsystems, and then the 
overall system, including ensuring that as testing progresses mitigations are taken to ensure the safety of 
the tests. The maturity of the various subsystems will be taken into account prior to full development and 
assurance that the systems are proven safe. The SITC will be multi-disciplinary in scope and will be 
established during the latter stages of the Construction Phase. 

3.6 Safety and Security Responsibilities Matrix 

The requirements, authority, and activities for safety and security will be integrated into the overall project 
management. At each stage of project advancement, there will be a process in place to ensure that the 
appropriate parties are aware of their safety and security responsibility associated with the project activity. 
The Safety and Security Responsibility Matrix (Table 3-1) lists the activities to be performed and assigns 
the responsibilities from the Preliminary Engineering phase through system Start-up phase. 
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Table 3-1 Safety and Security Responsibilities Matrix 


Key Safety and Security 
Certification Steps 

Preliminary Engineering Phase 

Final Design Engineering Phase 

Construction Phase 

Testing/Startup Phase 

AUT 

s/s 

PMT 

CMT 

DBC 

AUT 

s/s 

PMT 

CMT 

DBC 

AUT 

s/s 

PMT 

CMT 

DBC 

AUT 

s/s 

PMT 

CMT 

OMC 

Develop/update Certifiable 
Elements and Hazards Log 


p 

S 




s 

S 

S 

P 


s 

S 

S 

P 


s 

S 

S 

P 

Hazard and Vulnerability Analyses 


p 

s 




A 


s 

P 







A 


5 

P 

Develop S/S Design Criteria 

- 

S 

p 

- 



A 


s 

P 







A 

- 

S 

P 

Develop V&V Certifiable Items 
Lists 


S 

p 

■ 


■ 

A 


s 

P 


A 


s 

P 


A 


S 

P 

Verification of S/S Certifiable 

Items Lists 

- 

S 

p 




A 


p 

s 


A 


p 

S 


A 


P 

S 

Issue Phase Certificates of 

Conformance 

■ 

S 

p 




A 

A 

p 

s 


A 

A 

p 

S 


A 

A 

P 

s 

Approve Phase Certs. Ut 

Conformance 

P 

S 

s 

- 


P 

S 

S 



P 

S 

S 



P 

S 

S 




Abbreviations: AUT = Authority 

DBC = Design/Build Contractors 
PE = Preliminary engineering Phase 


S/S = PMT Safety & Security 

OMC = Operations & Maintenance Contractors 

FD = Final Design Phase 


PMT = Program Mgmt. Team 
CMT = Construction Mgmt. Team 
CN = Construction Phase 


TS = Testing & Startup Phase 


Responsibilities: P = Primary 


S = Supporting 


A = Audit 
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4.0 

4.1 


SAFETY AND SECURITY ANALYSIS 
Overview 


A hazard is a condition or circumstance that couid iead to an unpianned or undesired event which, when 
it occurs, can cause injury, iiiness, death, damage or ioss of equipment or property, or severe 
environmentai damage. 

Threats are defined as specific intentionai acts that wiii damage the system, its faciiities, or its patrons. 
Threats inciude any intentionai actions which detract from overaii security. They range from the extreme 
of terrorist-initiated bombs or hostage-taking to more common events such as theft of services, pick 
pocketing, graffiti and vandaiism. Vuinerabiiity is defined as the susceptibiiity of the system to a particuiar 
type of security threat. 

A formai process for the management of safety hazards and security threats and vuinerabiiities wiii be 
used for the CHSTP. The purpose of the process is as foiiows: 

• Identify and evaiuate the effects of hazardous conditions and security threats and vuinerabiiities on 
passengers, CHST system personnei, CHST system infrastructure and equipment 

• Define and evaiuate countermeasures to eiiminate or controi the identified hazards and security 
threats and vuinerabiiities 

• Provide timeiy notification of the identified hazards and threats and vuinerabiiities to design 
personnei to resoive them 

• Document the safety and security concepts incorporated and used during design and provide the 
basis for deveioping procedures to either compiement the design safety and security concepts or 
resoive the hazard and security threat/vuinerabiiity through procedures, training, or other means if 
the design does not satisfactoriiy resoive the issue 

Managing hazards and security threats and vuinerabiiities through identification, assessment, resoiution, 
and tracking wiii be an essentiai function of the PMT from preiiminary engineering through system start 
up. This process wiii be initiated during the preiiminary engineering (PE) phase of the Project. The PMT 
System Safety Manager wiii perform a Preiiminary Hazard Anaiysis (PHA) and the PMT Security Manager 
a Threat and Vuinerabiiity Assessment (TVA) upon finai seiection of the aiignment and in the eariiest 
stages of design. These processes wiii be coordinated through and reviewed by the SSPC. 

The TVA wiii foiiow the methodoiogy in the FTA document Public Transportation System Security and 
Emergency Preparedness Planning Guide. Because of the sensitive nature of the security risk 
assessment, oniy those with a “need-to-know” wiii have access to the TVA, and the document wiii be 
considered Sensitive Security Information (SSI). 

The development of the safety hazard analyses and security risk assessments will be coordinated with 
the appropriate engineering disciplines for the identification of applicable hazards/security risk issues and 
recommended control measures. Upon completion of PHAs and TVAs a Preliminary Hazard Analysis 
Report and Threat and Vulnerabilities Report will be prepared and submitted to the SSPC for review. The 
SSPC will elevate the reports to the SSEC as appropriate to the processes described in Section 3.3.2. 

As the Project enters Final Design, the design/build contractors will review and update the PHA and TVA 
and perform other analyses as warranted by local or site-specific conditions or designs. Any deviations to 
the Design Criteria developed by the PMT or design/build contractors will require a hazard analysis or 
vulnerability assessment for each deviation to ensure that the same level of safety is achieved as would 
have occurred had the Design Criteria been followed. Other hazards or vulnerabilities may be identified 
during the normal course of work on the project, including such activities as design reviews, construction 
inspection and testing, and start-up and integrated testing. Additional hazards or vulnerabilities identified 
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during these activities wiii aiso require a hazard anaiysis or vuinerabiiity assessment to be performed by 
the design/buiid contractor. 

The SSPC wiii be responsibie for reviewing and approving aii hazard anaiyses and vuinerabiiity 
assessments to ensure that significant safety hazards and security threats and vuinerabiiities are 
identified and that the proposed countermeasures adequateiy resoive the issues. The SSPC wiii monitor 
the status of the identified hazards and vuinerabiiities from initiai identification through finai resoiution and 
ciosure in conformance with the V&V process and by utiiizing reports from the V&V Requirements 
Management Tooi database. Sensitive security issues wiii be tracked on a separate iog per the CHSTP 
SSI Program. 

4.2 Safety and Security Analysis Processes 

This section of the SSMP describes the requirements of safety anaiysis for the CHSTP and the processes 
the Program Management Team and aii contractors (inciuding design/buiid contractors) wiii use to 
identify, evaiuate, and resoive potentiai hazards or threats and vuinerabiiities associated with the design, 
construction, testing and commissioning of the project. 

The objective of safety anaiysis is to assess identified hazards in terms of the severity or consequence of 
the hazard and the probabiiity of occurrence, and to find an acceptabie resoiution. Hazards which cannot 
be eiiminated in the design are to be controiied by providing safety devices, warning devices, and 
providing adequate training and written instructions to the high-speed raii system operator to prevent 
accidents. 

The safety anaiyses required are part of a formaiized process to identify, eiiminate and/or controi 
hazards. Specificaiiy, the safety anaiyses provide for the: 

• Identification of hazards 

• Assessment of the severity and probabiiity of occurrence of the potentiai hazard 

• Timeiy awareness of hazards for those who must resoive them 

• Traceabiiity and controi of hazards through aii phases of a system’s iife cycie. 

Safety anaiyses are an essentiai part of the preventive and proactive aspect of the system safety 
program. Safety anaiyses primariiy identify and describe hazards that might arise from flaws and fauit 
conditions in the design and operation of a system or subsystem. Thus, a safety anaiysis is an important 
eiement in the deveiopment of a system in which hazards must be eiiminated or controiied to an 
acceptabie ievei. 

4.2.1 Hazard Analysis Methodology 

Two basic types of anaiyticai approaches wiii be utiiized, inductive and deductive. 

The inductive approach uses a bottom-up technique, based on inductive reasoning, which appiies iogicai 
reasoning from particuiar facts to a generai conciusion. This technique investigates effects that begin with 
a bottom or iower ievei event or occurrence and proceeds upward to determine what effect the iower ievei 
event has on the totai system. 

The deductive approach uses a top-down technique, based on deductive reasoning, which appiies iogicai 
reasoning from the generai to the specific. This technique investigates causes that begin with a seiected 
top-ievei unacceptabie or undesirabie event or hazardous occurrence, and proceed downward to 
determine aii of the eiements which contribute to the occurrence of the top-ievei event. 

Safety anaiyses can be performed quaiitativeiy or quantitativeiy. A quaiitative anaiysis is a review of 
factors affecting the safety of a system. Possibie conditions and events and their consequences shouid 
be considered to determine whether they couid cause or contribute to injury or damage. The objective is 
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to achieve maximum safety by eiiminating or controiiing aii hazards posing an unacceptabie or 
undesirabie risk as measured by their combined hazard severity and quaiitative frequencies of 
occurrence. 

A quantitative anaiysis is a mathematicai assessment of an actuai or potentiai event, such as an accident. 
Quantitative evaiuations can be used to estabiish absoiute or reiative frequencies of occurrence. A 
quantitative anaiysis wiii normaiiy be accompanied, or preceded, by a quaiitative anaiysis. Therefore, any 
mention of a quantitative anaiysis impiies that a quaiitative anaiysis has aiso been performed. 

The types of anaiyses which may be required for the CHSTP are described beiow. 

• Preiiminary Hazard Anaiysis (PHA) is typicaiiy the initiai hazard anaiysis technique used during the 
system or subsystem design phase. A PHA is used to identify safety criticai areas within the system 
and roughiy evaiuate hazards and begin to consider safety design criteria. PHA estabiishes the basis 
for the safety criteria in design, equipment, and performance specifications. 

• Site-Specific Hazard Anaiysis (SSHA) is an expansion of the PHA, conducted as the generai design 
criteria and system requirements are appiied to specific system and subsystem eiements. An 
exampie wouid be an SSHA for an eievated structure spanning the SR-99 highway in Fresno, 
appiying the safety-criticai criteria found in the Design Criteria to the specific characteristics and site 
conditions of this structure. SSHA is generaiiy performed during the Finai Design, construction, and 
Testing/Startup Phases. The primary output of the SSHA is the identification and evaiuation of 
hazards and mitigations that are specific to the system eiement under consideration 

• Faiiure Modes and Effects Anaiysis (FMEA) is an inductive anaiysis used to identify equipment 
faiiures. It evaiuates a system or subsystem to identify possibie faiiures of each individuai component 
in the system. The resuits or effects of the subsystem and component faiiures are then ciassified 
according to severity. 

• Fauit Tree Anaiysis (FTAN) is representative of the deductive process. The purpose of the Fauit Tree 
Anaiysis is to provide a concise and orderiy description of the various combinations of possibie 
occurrences within the system that can resuit in an undesired event. This is the most rigorous of the 
hazard identification process and anaiyses and is typicaiiy performed for the most compiex systems. 

• Interface Hazard Anaiysis (IHA) is performed to identify design hazards in components and 
subsystems of a major system. IHA determines the functionai reiationships between the systems, 
subsystems, processes, components and equipment based soieiy on safety considerations and aiso 
identifies aii eiements in which a functionai faiiure couid resuit in a hazardous condition or accidentai 
ioss. 

• Operatinq Hazard Anaiysis (OHA) is performed to determine aii appiicabie operationai safety 
requirements for personnei, procedures, and equipment throughout aii phases of the system iife 
cycie. Engineering data, procedures, and instructions deveioped from other safety anaiyses, the 
engineering design, and initiai test programs are used to support this anaiysis. 

• Software Hazard Anaiysis (SHA) wiii be used to evaiuate software design, and reiated software and 
hardware documentation wiii be reviewed for safety-criticai software-controiied functions. The 
anaiysis wiii review software and hardware faiiures that couid cause the system to operate in a 
hazardous manner. 


4.2.2 Interrelationships 

To appreciate the utiiity of the safety anaiyses described in this document it is usefui to understand their 
interreiationships and when they shouid be appiied during the project iife cycie. Tabie 4-1 dispiays the 
time frame in the iife of a project when each safety anaiyticai technique provides the most benefit. It 
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should be understood that the number of in-process submittals of an analysis will vary and depend on the 
nature, complexity, and duration of the system contract and its life cycle. 



4.2.3 Hazard Identification And Resolution Process 

The process flow used for identifying hazards consist of review of the design and operational concepts, 
and incorporation of historical information and data from similar high-speed rail systems are identified in 
Table 4-2. 
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Table 4-2 - Hazard Identification and Resolution Process 


1. DEFINE THE SYSTEM 

• Define the physical and functional characteristics and understand 
and evaluate the people, procedures, facilities, equipment, and 
environment. 

2. IDENTIFY HAZARDS 

• Identify hazards and undesired events 

• Determine the causes of hazards 

3. ASSESS HAZARDS 

• Determine severity 

• Determine probability 

• Decide to accept risk or eliminate/control 

4. RESOLVE HAZARDS 

• Assume risk or 

• Implement corrective action 

o Eliminate 
o Control 

5. FOLLOW-UP 

• Monitor for effectiveness 

• Monitor for unexpected hazards 


4.2.3.1 Hazard Resolution 

As part of the hazard assessment process, hazards can be resolved by deciding to either assume the risk 
associated with the hazard or to eliminate or control the hazard. Mitigation of the risk associated with 
each hazard to an acceptable level shall be applied in the following order of precedence: 

1. Avoidance 

2. Elimination 

3. Substitution 

4. Engineering Controls 

5. Warnings 

6. Administrative Controls such as Operations and Maintenance Procedures 

7. Personal Protective Equipment and Guards 

4.2.3.2 Residual Hazard Risk Index 

After the adoption of measures of mitigation the anticipated residual hazard risk index, expressed as the 
combined hazard severity and probability of occurrence, will be identified on the analysis sheet for each 
hazard. This will help evaluate the effectiveness of the corrective action and establish whether the 
residual hazard is acceptable. 
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Hazards identified as “acceptabie with review” may be accepted in an “as-is” condition with no further 
design mitigation required. Operating and maintenance procedures must be deveioped, however, for 
periodic tests and inspections of the subject item to ensure an acceptabie ievei of safety is maintained 
throughout the iife of the system. The hazards and mitigations wiii be reviewed by the Safety and 
Security Project Committee (SSPC), with recommendation made to the Safety and Security Executive 
Committee (SSEC) for decision. Acceptance of the ievei of safety wiii be provided by the Authority 
through the SSEC, chaired by the Authority Executive Director. 

4.2.3.3 Residual Risk Acceptance or System Disposal 

Hazards identified as having an unacceptabie and undesirabie risk wiii be anaiyzed using iogic network 
anaiyses (such as fauit tree) to determine effectiveness of corrective action. Unacceptabie and 
undesirabie risk wiii be reduced to an acceptabie ievei before design acceptance, or a decision must be 
made to accept the hazard or dispose of the system. The hazards wiii be reviewed by the Safety and 
Security Project Committee (SSPC), with recommendation made to the Safety and Security Executive 
Committee (SSEC) for decision. Acceptance of the ievei of safety or disposai of the system wiii be 
provided by the Authority through the SSEC, chaired by the Authority Executive Director. 

4.2.3.4 Documentation 

For the contractor performed safety anaiyses, appropriate support documentation used in the 
deveiopment of the anaiysis wiii be identified or referenced in detaii as part of each anaiysis, inciuding, 
but not iimited to, the foiiowing: 

• Schematics, drawing, biock diagrams 

• System description inciuding modes of operation and tasks 

• Lists of Line Repiaceabie units (LRUs), assembiies, parts and components addressed within each 
subsystem and system 

• Documented reiiabiiity and safety data inciuding faiiure rate data obtained from service use in 
identicai or manifestiy simiiar equipment in simiiar environment 

• Documented reiiabiiity and safety data obtained from formai test resuits, conducted in simiiar 
appiications 

• Documented reiiabiiity and safety data obtained from formai anaiyses, conducted for equipment in 
simiiar appiications 

4.2.4 Key Definitions 

The major output of the safety anaiyses is the identification and evaiuation of hazards. It is important to 
provide a uniform interpretation of the severity and probabiiity of the hazards. The foiiowing definitions are 
used to deveiop the hazard anaiyses. 

4.2.4.1 Hazard Severity 

Hazard severity categories are defined to provide a quaiitative measure of the worst credibie mishap 
resuiting from personnei error, environmentai conditions, design inadequacies, procedurai deficiencies, 
system, subsystem or component faiiure, or maifunction. For the CHSTP, the hazard severity definitions 
are defined in Tabie 4-3. 
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Table 4-3 - Hazard Severity Definitions 


Hazard Category 

Definition 


Any hazard that can lead to: 

I 

• 

• 

• 

Numerous fatalities 

Numerous severe injuries 

Severe damage or total loss to multiple railcars 

Catastrophic 

• 

• 

• 

• 

Severe damage to rail infrastructure 

Severe damage to another train or a fixed immoveable object (e.g. bridge abutment) 

Other severe system loss causing all or a significant portion of the system unavailable for 
normal service for more than 5 calendar days 

Severe environmental damage (including hazards associated with chemical, biological, 
radiological, nuclear and explosions) 


Any hazard that can lead to: 


• 

A fatality or multiple severe injuries 


• 

Severe occupational illness 

II 

• 

Major but repairable damage to railcars 

Critical 

• 

Major damage to rail infrastructure, but repairable within 5 calendar days to allow service to 
operate in the area 


• 

Other major system loss, but repairable within 5 calendar days to allow service to operate in the 



area 


• 

Major environmental damage (including hazards associated with the release of hazardous 
material into environment that may result in injury or death) 


Any hazard that can lead to: 


• 

Non-recoverable injuries or multiple minor injuries that require hospitalization and may lead to a 
fatality 

III 

• 

Serious occupational illness 

Serious 

• 

Serious but repairable damage to railcars 

• 

Serious damage to rail infrastructure, but repairable within 24 hours to allow service to operate 
in the area 



• 

Other serious system loss, but repairable within 24 hours to allow service to operate in the area 


• 

Serious environmental damage (including hazards associated with the release of hazardous 
material into environment that requiring evacuation) 


Any hazard that can lead to: 


• 

Recoverable (non life threatening) injuries that may require admittance to an emergency room 
for testing and/or hospital for observation 

IV 

• 

Minor occupational illness 

Marginal 

• 

Minor repairable damage to railcars 

• 

Minor damage to raii infrastructure, repairable within 2 hours to allow service to operate in the 



area 


• 

other minor system loss, repairable within 2 hours to allow service to operate in the area 


• 

Minor environmental damage (associated with release of hazardous material into environment 
less than the ERA reportable amount) 


Any hazard that can lead to: 

V 

• 

Superficial injuries that may require first-aid treatment only 

Negligible 

• 

Less than minor occupational illness 

• 

Less than minor environmental damage (associated with hazardous material spill) 


• 

System shut down of less than 30 minutes 
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4.2.4.2 Hazard Probability 

The assessment of the hazard should also Include a probability of occurrence. Assigning a quantitative 
probability to a hazard Is generally not possible early In the design or planning process. A qualitative 
hazard probability can be derived from research, analysis, and evaluation of historical safety data from 
similar systems. The hazard probability (frequency of occurrence) levels are defined in Table 4-4, which 
includes a column on “Period of Occurrence (T) of an Event” that can be used as a guide in determining 
qualitative level of frequency of occurrence of a hazard. 


Tabie 4-4 - Frequency of Occurrence 


Description 

Level 

Definition 

Period of Occurrence (T) of 
an Event 

Frequent 

A 

Likely to occur frequently in 
the life of an item; 
continuously experienced in 
the fleet. 

T < 2 months 

Probable 

B 

Will occur several times in the 
life of an item; will occur 
frequently in the fleet. 

2 months < T < 1 year 

Occasional 

C 

Likely to occur sometime in 
the life of an item; will occur 
several times in the fleet. 

1 year < T < 10 years 

Remote 

D 

Unlikely, but possible to occur 
in the life of an item, unlikely; 
but can reasonably be 
expected to occur in the fleet. 

10 years < T < 30 years 

Highly unlikely 

E 

So unlikely, it can be 
assumed occurrence may not 
be experienced. Failure of a 
series of risk control 
measures must happen 
before the event can occur. 

T > 30 years 


4.2.4.3 Hazard Risk Assessment and Acceptance Criteria 

Hazard analyses establish hazard severity category (I through IV) and hazard probability ranking (A 
through E) which are combined into a Hazard Risk Index, reflecting the combined severity and probability 
ranking for each identified hazard. Risk assessment criteria are applied to the identified hazards based on 
their severity and probability of occurrence, to determine acceptance of the risk or the need for corrective 
action to further reduce the risk. The hazard risk index and risk acceptance criteria are defined in Tables 
4-5 and 4-6 respectively. 
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Table 4-5 - Risk Assessment Matrix 


Event Frequency of Occurrence 


Event Severity 

I 

(Catastrophic) 

II 

(Critical) 

III 

(Serious) 

IV 

(Marginal) 

V 

(Negligible) 



Table 4-6 - Risk Acceptance Criteria 


Hazard Risk Index 

Acceptance Criteria 


Unacceptable 

ID, iiD, iiiB, me 

Undesirable (decision required SSEC) 

I^NE, IID, HIE, IVA, IVB 

Acceptable with review by SSEC 

IVC, IVD, IVE, VA, VB, VC, VD, VE 

Acceptable 


Hazards identified as “acceptabie with review” may be accepted in an “as-is” condition with no further 
design mitigation required, however the hazard anaiysis must be reviewed and approved by the SSEC. 
See Section 4.2.3.3 for detaiis. 


4.2.4.4 Systems and Subsystems 

A system is a composite, at any ievei of compiexity, of personnei, procedures, materiais, toois, 
equipment, faciiities, and software. The eiements of this composite entity are used together in the 
intended operationai or support environment to perform a given task or achieve a specific production, 
support, or mission requirement. 

A subsystem is an eiement of a system that in itseif may constitute a system. Depending on the nature 
and scope of the contract or subcontract, the connotation of system and subsystem may differ. For 
exampie, if the safety anaiyst conducts an Interface Hazard Anaiysis, the system wouid be the entire 
high-speed raii system and the interfacing subsystems, for exampie, couid be high-speed raii system 
eiements such as the passenger vehicie, traction power, train controi, and communications. If the vehicle 
contractor conducts an IHA, the system would be the passenger vehicle and examples of subsystems 
could be the vehicle propulsion subsystem and friction brake subsystem. If the propulsion supplier 
conducts an IHA, the system would be the propulsion system and the subsystems could be the traction 
motors and the gear reducer and coupling. 
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4.2.4.5 System Mode 

System mode is the state in which the system under anaiysis is assumed to be. The system may be in 
one of three states: normai (N); abnormai (A), which is a faiiure recovery mode (e.g., singie track 
operation); or, emergency (E). The foiiowing is an expianation of the three possibie system modes: 

• NORMAL CONDITION (N): Refers to an operating condition wherein the high-speed raii system is 
operating under nominai design and operating conditions. Normai conditions mean that aii systems 
are functionai and the high-speed raii system is not under pre-existing degraded performance due to 
an existing maifunction 

• ABNORMAL CONDITION (A): Refers to an operating environment wherein the high-speed raii 
system is operating under conditions of fauits or maifunctions, which in and of themseives is not 
catastrophic or criticai but degrades quaiity of service and possibiy increases risk exposure. Abnormai 
conditions may require departure from the nominai operating conditions, and impiementation of faiiure 
management and faiiure recovery strategies to continue revenue service with aiternative measures or 
workarounds. Exampies couid be equipment maifunctions or maintenance constraints which require 
singie-track operation on segment of track, or the temporary impiementation of a manuai biock 
system in iieu of faiied ATP equipment, to provide equivaient ievei of safety in iieu of faiied 
equipment. 

• EMERGENCY CONDITION (E): A life threatening situation posing clear and present danger such as 
fire/smoke on the vehicle, fire in a station, collision/derailment of the vehicle, bomb threat, etc. 

4.2.5 Hazard Analysis Types 

4.2.5.1 Preliminary Hazard Analysis (PHA) 

The primary output of the PHA is the early identification and evaluation of hazards and mitigations on a 
high-level systems requirement basis. The following instructions are used in the development of the 
hazard analyses. 


PURPOSE 

PROCEDURE 


RESULTS 


DOCUMENTATION 


The purpose of the PHA is to provide an early assessment of 
the hazards associated with a design or concept. 

The PHA identifies critical areas, hazards and criteria being 
used and considers: hazardous events, components, 
interfaces, environmental constraints, and operating, 
maintenance and emergency procedures. 

When possible, the corrective action should identify the 
approach(s) to be taken: design change, procedures, and 
special training and personnel qualifications. 

The PHA will provide for verification that corrective or 
preventive measures or procedures are taken in safety reviews, 
modification of specifications, and generation of methods and 
procedures to eliminate, minimize or control hazards and 
provide inputs to the interface hazard analysis, operating 
hazard analysis and failure mode and effects analysis. 

Document the analysis to show compliance with the specified 
safety and operational requirements, and provide for the 
tracking of actions and verifying effectiveness. 
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INSTRUCTIONS FOR COMPLETING THE PHA FORM: 


• In System, enter the nomenclature of the applicable system element. 

• In Subsystem, enter the nomenclature of the subsystem as broken out from the system and which includes 
the item or hazard undergoing PHA. 

• In PHA No., enter the PHA number for the subsystem element. This coding will be sequentially numbered by 
each Contractor for each subsystem and will be utilized for all related analysis. 

• In Rev. No., enter the revision number of the PHA to indicate the latest status. 

• In Sheet _ of _, enter the individual sheet number and the total number of sheets contained in this analysis. 

• In Prepared by _ Date _, the preparer will sign and enter the date of issue or completion on each sheet of 
the analysis. 

• In Reviewed by _ Date _, the reviewer will sign and enter the date of review on each sheet of the analysis. 

• In Approved by _ Date _, the person responsible for approval will sign and enter the date of approval on 
each sheet of analysis. 

• In No., enter the reference number which uniquely identifies the high-speed rail system element and any 
identifiable element subsystem and item being analyzed. 

• In System Mode, enter state of the system when the failure mode or hazardous condition occurs (See 
Definitions). 

• In HAZARD DESCRIPTION, describe an immediate condition which could lead to an accident involving 
potential injury, death or equipment damage. 

• In POTENTIAL CAUSE, enter the most likely primary and secondary causes that can potentially contribute 
to the presence of the hazard. 

• In EFFECT ON SUBSYSTEM / SYSTEM, describe the effect that the hazardous condition may have on the 
system element or its element subsystem in terms of safety (e.g. delay, inconvenience, injury, damage, 
fatality, etc.) 

• In HAZARD RISK INDEX, enter a combination of the qualitative measure of the worst potential consequence 
resulting from the hazard, and its probability of occurrence (e.g., lA, MB, etc.), under the following conditions: 

• In INITIAL, enter the designation for hazard risk index estimated prior to implementation of the controlling 
measures, considering the condition of the subsystem element if no measures of mitigation were applied. 

• In RESIDUAL (PROJECTED), enter the designation for hazard risk index estimated following the 
adoption/implementation of the proposed controlling measures. This may result in reduction of either the 
probability of occurrence or the severity of the hazard, or both. 

• In POSSIBLE CONTROLLING MEASURES AND REMARKS, describe the proposed measures of mitigation 
that can be applied to prevent or reduce the severity and probability of the hazard under analysis. 

• In RESOLUTION, describe changes made or steps taken relative to design and/or procedures, training, etc., 
to eliminate or control the hazard. The identified reference should be as specific as possible for verification 
purposes. 
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Figure 4-1 Sample PHA 


System: Infrastructure 

California High-Speed Train Project 

Prepared by: 

Date 

Subsystem: R-O-W, Generally 

Preliminary Hazard Analysis (PHA) 

Reviewed by: 

Date 

PHA No. 1.1.1 Rev. No. 0 

DRAFT 12/08/2011 

Approved by: 

Date 

General Description 
Derailment 

Hazard Cause / Effect 

Hazard Risk Index 

Corrective Action 

No. 

System 

Mode 

Hazard Description 

Potential 

Cause 

Effect on 
Subsystem / 
System 

Initial 

Residual 

(Projected) 

Controlling 
Measures and 
Remarks 

Resolution / 
Reference 

4 

A 

Washout 

Flooding, 

scouring 

Derailment 

w/mass 

casualties. 

property 

damage, service 
interruption 

l-B 

Unacceptable 

tl-E Acceptable 
w/Review 

1) Perform 
hydraulics analysis 
and incorporate 
results into sub¬ 
grade design, slope 
protection and 
setting of profile. 2) 
Install appropriate 
drainage. 3) 
Inspection and 
maintenance of 
drainage systems. 

4) Identification and 
monitoring by O&M 
of potential 
hazardous 
locations. 



Note - Figure 4-1 is a sample representation only. Refer to current PHA for identified hazards and controlling measures. 

4.2.5.2 Site-Specific Hazard Analysis (SSHA) 

The SSHA is conducted as the general design criteria and system requirements are applied to specific 
system and subsystem elements. An example would be an SSHA for an elevated structure spanning the 
SR-99 highway in Fresno, applying the safety-critical design criteria found in the design manual to the 
specific characteristics and site conditions of this structure. SSHA is generally performed during the Final 
Design, construction, and Testing/Startup Phases. The primary output of the SSHA is the identification 
and evaluation of hazards and mitigations that are specific to the system element under consideration. 

The instructions for completing the SSHA form are the same as for the PHA form, as identified in Section 
4.2.5.1 of this SSMP. 

4.2.5.3 Failure Mode and Effects Analysis (FMEA) 

PURPOSE The purpose of the FMEA is to determine the results or effects 

of item failures on a system operation and to classify each 
potential failure according to its risk index (severity and 
frequency of occurrence). The goal is to provide an early 
identification of failures with unacceptable and undesirable risks 
so that they can be eliminated or minimized through appropriate 
actions at the earliest possible time. 

PROCEDURE Variations in design complexity and available data will generally 

dictate the analysis approach to be used. There are two primary 
approaches for accomplishing an FMEA, the hardware 
approach and the functional approach. 
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RESULTS 


DOCUMENTATION 



The hardware approach is normally used when hardware items 
can be uniquely identified from schematics, drawings, and other 
engineering and design data. The hardware approach is 
normally utilized in a part level up fashion (bottom-up 
approach); by listing individual hardware items and analyzing 
the effect of their possible failure modes on the entire system 
and its subsystems. 

The functional approach is normally used when hardware items 
cannot be uniquely identified or when system complexity 
requires analysis from the initial indenture level downward 
through succeeding indenture levels (top-down approach). The 
functional approach recognizes that every item is designed to 
perform a number of functions that can be classified as outputs. 
The outputs are listed and their failure modes analyzed. 

The FMEA may be performed as a hardware analysis, a 
functional analysis, or a combination analysis depending on the 
design detail available. 

The FMEA will examine the system element by element, to 
evaluate the system for safety hazards and ultimately to assess 
risk. Each identified failure mode will be assigned a severity 
classification. A probability of occurrence will also be assigned 
in accordance with MIL-STD-882D The resulting risk index will 
be utilized during design to establish priorities for corrective 
actions. The FMEA will be reviewed on a continuous basis to 
verify that design modifications do not add hazards to the 
system. 

To perform a FMEA, the following process should be 
implemented: 

• Identify all major system components, functions, and 
processes 

• Determine consequences of interest 

• Determine the potential failure modes of interest 

• Specify effects of failures of system 

• Identify safety provisions to control hazards and failures 

• Identify detection methods for failures 

• Establish overall significance of each failure 

The FMEA will provide information to evaluate identified 
hazards, identify safety critical areas and provide inputs to 
safety design criteria and procedures with provisions and 
alternatives to eliminate or control all unacceptable and 
undesirable hazards based on their combination of severity and 
probability of occurrence, and to identify critical items. 

Document the analysis to show compliance with specified 
system safety requirements and to track the corrective action. 
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INSTRUCTIONS FOR COMPLETING THE FMEA FORM: 


• In Contract No., enter the contract number for which the FMEA is being performed. 

• In Contractor, enter the name of the Contractor responsible for the FMEA. 

• In FMEA No., enter the FMEA number which will be coded and sequentially numbered by each Contractor 
for each system. This coding sequence will be utilized for all related analyses. 

• In Rev. No, enter the revision number of the FMEA to indicate the latest status. 

• In System, enter the nomenclature of the applicable system. 

• In Subsystem, enter the nomenclature of the subsystem as broken out from the system and which includes 
the item undergoing FMEA. 

• In Drawing No., enter the drawing number of the drawing on which the line replaceable unit (LRU) is 
indicated. 

• In Sheet _ of _, enter the individual sheet number and the total number of sheets contained in this analysis. 

• In Prepared by _, Date, the preparer will sign and enter the date of issue or completion on each sheet of the 
analysis. 

• In Reviewed by _, Date -, the reviewer will sign and enter the date of review on each sheet of the analysis. 

• In Approved by _ Date -, the Contractor's Project Manager will sign to approve and enter the date of 
approval on each sheet of analysis. 

• In LRU NO. AND DESCTIPTION, enter the reference number nomenclature and brief functional description 
of the component / assembly. 

• In FAILURE MODE, describe an immediate failure mode or fault condition which could lead to an accident 
involving potential injury, death or equipment damage. 

• In CAUSE OF FAILURE, enter the most likely primary and secondary causes that can potentially contribute 
to the presence of the hazard. 

. In EFFECT OF FAILURE ON SUBSYSTEM/ SYSTEM/ PERSONNEL, describe the effect that the failure 
mode or fault condition may have on the item and the next higher level, i.e., subsystem or system element in 
terms of inputs and outputs, and in terms of system safety and operational impact (e.g. delay, 
inconvenience, injury, damage, fatality, etc.) 

• In SEVERITY OF OCCURRENCE, enter the potential impact of fault condition or failure mode on system 
operation (catastrophic, critical to insignificant). 

• In PROBABILITY OF OCCURRENCE, enter a qualitative or quantitative measure of the probability of 
occurrence of the failure mode or fault condition in accordance with MIL-STD-882D. 

. In POSSIBLE CONTROLLING MEASURES AND REMARKS, describe actions that can be taken or 
procedural changes that can be made to prevent the anticipated hazardous event from occurring. Enter 
name(s) of related analysis and reference number(s) and which approach is being proposed: Design 
Change, Procedures, Special Training, etc. 

• In RESOLUTION, describe changes made or steps taken relative to design and/or procedures, training, etc., 
to eliminate or control the hazard and the resulting risk index. 
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4.2.5.4 Fault Tree Analysis (FTAN) 

PURPOSE The Fault Tree Analysis (FTAN) is a deductive procedure used 


PROCEDURE 

to determine the various combinations of hardware and 
software failures and human errors that could cause undesired 
events (referred to as top events) at the system level. The 
FTAN has much use because of its ability to distinguish 
between those events that must occur (represented by an AND 
gate) and those that simply can occur (represented by an OR 
gate) in order for the top event to occur. The analysis thus 
helps to identify potential causes of system failures before the 
failures actually occur. The deductive analysis begins with a 
general conclusion, then attempts to determine the specific 
causes of the conclusion by constructing a logic diagram called 
a fault tree. After completing an FTAN, efforts can be directed 
to improve system safety. 

The FTAN will be conducted on unresolved undesirable or 
unacceptable hazards identified in other safety analyses. 
Following procedure will be used to do a comprehensive FTAN: 

1. Define the undesirable/unacceptable hazard, and write 
down the top level event. 

2. Using technical information and professional 
judgments, determine the possible reasons for the top 
level event to occur. These are level two elements 
because they fall just below the top level event in the 
tree. 

3. Continue to break down each element with additional 
gates to lower levels. Consider the relationships 
between elements to help decide proper selection of 
the logic gate. 

4. .Finalize and review the complete diagram. The chain 
can only be terminated in a basic fault: human, 
hardware software. 

5. If possible, evaluate the probability of occurrence for 
each of the lowest level elements and calculate the 
statistical probabilities from the bottom up. 

RESULTS 

The information charted on a fault tree provides a qualitative 
analysis by demonstrating how specific events will affect an 
outcome. If probability data is known for these events, then the 
FTA can also provide quantitative information to further 
evaluate the likelihood of achieving the top event. Once 
developed, the fault areas that are responsible for yielding an 
undesired event can be further evaluated. 

DOCUMENTATION 

Document the analysis to show compliance with specified 
system safety requirements and to track the corrective action. 
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4.2.5.5 Interface Hazard Analysis (IHA) 

PURPOSE The IHA identifies and assesses existing or potentiai hazards 

between subsystems and systems and their effect on overaii 
System safety and operations. The emphasis is on interfaces. 

Through the eariy identification of existing or potentiai hazards, 
corrective action(s) can be taken to eiiminate or controi 
unacceptabie and undesirabie hazards, based on the 
combination of their hazard severity and probabiiity of 
occurrence. 


PROCEDURE The IHA is conducted on the criticai interreiationships of each 

subsystem and system to determine the cause and effect of 
possibie independent, dependent and simuitaneous faiiures 
that couid present a hazardous condition, inciuding faiiures of 
safety devices. When the IHA indicates a potentiai probiem, it is 
made known to the responsibie engineer in order to initiate a 
design review. The IHA will be reviewed on a continuous basis 
to verify that design modifications do not add hazards to the 
system. 

RESULTS The IHA provides for the identification and correction of 

possible hazards associated with subsystem and system 
failures. The IHA provides inputs to design reviews, 
maintainability, reliability and system safety and system 
operations. 

DOCUMENTATION Document the analysis to show compliance with specified 

system safety requirements and to track the corrective action. 


INSTRUCTIONS FOR COMPLETING THE IHA FORM: 

• In Contract No., enter the contract number for which the IHA is being performed. 

• In Contractor, enter the name of the Contractor responsible for the IHA. 

• In IHA No., enter the IHA number which will be coded and sequentially numbered by each Contractor for 
each system. This coding sequence will be utilized for all related predictions and analysis. 

• In Rev. No, enter the revision number of the IHA to indicate the latest status. 

• In System, enter the nomenclature of the applicable system. 

• In Subsystem, enter the nomenclature of the subsystem as broken out from the system and which includes 
the item undergoing IHA. 

• In Interfacing Subsystem, enter the nomenclature of the interfacing subsystem which interfaces with the item 
undergoing IHA. 

• In Drawing No., enter the drawing number of the drawing on which the item undergoing IHA is indicated. 

• In Sheet _ of _, enter the individual sheet number and the total number of sheets contained in this analysis. 

• In Prepared by _, Date, the preparer will sign and enter the date of issue or completion on each sheet of the 
analysis. 

• In Reviewed by _, Date -, the reviewer will sign and enter the date of review on each sheet of the analysis. 
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• In Approved by _ Date the Contractor's Project Manager will sign to approve and enter the date of 
approval on each sheet of analysis. 

• In No., enter the reference number which uniquely identifies the high-speed rail system element and any 
identifiable element subsystem and item being analyzed. 

• In SYSTEM MODE, enter state of the system when the failure mode or fault condition occurs. (See 
Definitions) 

• In HAZARD DESCRIPTION, describe an immediate condition which could lead to an accident involving 
potential injury, death or equipment damage. 

• In POTENTIAL CAUSE, enter the most likely primary and secondary causes that can potentially contribute 
to the presence of the hazard. 

• In EFFECT ON SYSTEM, describe the effect that the hazardous condition may have on the system in terms 
of safety (e.g. delay, inconvenience, injury, damage, fatality, etc.) 

• In EFFECT ON INTERFACING SUBSYSTEM, describe the effect that the hazardous condition may have on 
the interfacing subsystem in terms of safety (e.g. delay, inconvenience, injury, damage, fatality, etc.) 

• In INTERFACING PARAMETERS, enter the parameters responsible for the interaction of the system with 
other systems. 

• In HAZARD RISK INDEX, enter a combination of the qualitative measure of the worst potential consequence 
resulting from the hazard, and its probability of occurrence (e.g., lA, MB, etc.), under the following conditions: 

• In INITIAL, enter the designation for hazard risk index estimated prior to implementation of the controlling 
measures. 

• In RESIDUAL, enter the designation for hazard risk index estimated following the adoption/implementation 
of the controlling measures. This may frequently result in reduction of the probability of occurrence of the 
hazard. 

. In POSSIBLE CONTROLLING MEASURES AND REMARKS, describe actions that can be taken or 
procedural changes that can be made to prevent the anticipated hazardous event or critical failure from 
occurring. Enter name(s) of related analysis and reference number(s) and which approach is being 
proposed: Design Change, Procedures, Special Training, etc. 

• In RESOLUTION, describe changes made or steps taken relative to design and/or procedures, training, etc., 
to eliminate or control the hazard. 


4.2.5.6 Operating Hazard Analysis (OHA) 

PURPOSE The purpose of the OHA is to identify and anaiyze hazards 

associated with personnei and procedures during production, 
instaiiation, testing, training, operations, maintenance and 
emergencies. 

PROCEDURE The OHA wiii be conducted on aii tasks and human actions, 

inciuding acts of omission and commission, by persons 
interacting with the system, subsystems and assembiies at any 
ievei. When the OHA indicates a potentiai safety hazard, it wiii 
be made known to the responsibie engineer, in order to initiate 
a design review or a system safety working group action item. 
The OHA wiii be reviewed on a continuous basis to provide for 
design modifications, procedures, testing etc. that do not create 
hazardous conditions. 
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RESULTS 


The OHA will provide for corrective or preventive measures to 
be taken to minimize the possibility that any human error or 
procedure will result in injury or system damage. The OHA will 
provide inputs for recommendations for changes or 
improvements in design or procedures to improve efficiency 
and safety, development of warning and caution notes to be 
included in manuals and procedures, and the requirement of 
special training of personnel who will carry out the operation 
and maintenance of the system. 


DOCUMENTATION 


Document the analysis to show compliance with specified 
system safety and operational requirements. 


INSTRUCTIONS FOR COMPLETING THE OHA FORM: 

• In Contract No., enter the contract number for which the OHA is being performed. 

• In Contractor, enter the name of the Contractor responsible for the OHA. 

• In OHA No., enter the OHA number which will be coded and sequentially numbered by each Contractor for 
each system. This coding sequence will be utilized for all related predictions and analysis. 

• In Rev. No, enter the revision number of the OHA to indicate the latest status. 

• In System, enter the nomenclature of the applicable system. 

• In Subsystem, enter the nomenclature of the subsystem as broken out from the system and which includes 
the item undergoing OHA. 

• In Drawing No., enter the drawing number of the drawing on which the item undergoing OHA is indicated. 

• In Sheet _ of _, enter the individual sheet number and the total number of sheets contained in this analysis. 

• In Prepared by _, Date, the preparer will sign and enter the date of issue or completion on each sheet of the 
analysis. 

• In Reviewed by _, Date -, the reviewer will sign and enter the date of review on each sheet of the analysis. 

• In Approved by _ Date -, the Contractor's Project Manager will sign to approve and enter the date of 
approval on each sheet of analysis. 

• In TASK DESCRIPTION, enter a brief description of the task or operation for which the hazard condition is 
being analyzed. 

• In SYSTEM MODE, enter state of the system when the failure mode or fault condition occurs. (See 
Definitions) 

• In HAZARD DESCRIPTION, describe a human act of commission or omission, error, or fault condition, 
which could lead to an accident involving potential injury death or equipment damage. 

• In PROBABILITY OF OCCURRENCE, enter the probability of occurrence of the error or fault condition, 
measured in events per million hours of operation. Give data source, such as experience and statistics in 
similar applications, human factor studies, etc. 

• In POTENTIAL CAUSE, enter the most likely primary and secondary causes, including those induced by 
hardware, software, procedures and the environment, that can potentially contribute to the presence of the 
hazard. 

• In EFFECT ON PERSONNEL/SYSTEM, describe the effect that the human error or fault condition may have 
on personnel, patrons, the general public, equipment, facilities and the entire system, in terms of system 
safety and operational impact (e.g. delay, inconvenience, injury, damage, fatality, etc.) 

• In HAZARD RISK INDEX, enter a combination of the qualitative measure of the worst potential consequence 
resulting from the hazard, and its probability of occurrence (e.g., lA, MB, etc.), under the following conditions: 

• In INITIAL, enter the designation for hazard risk index estimated prior to implementation of the controlling 
measures. 
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• In RESIDUAL, enter the designation for hazard risk index estimated following the adoption/implementation 
of the controlling measures. This may frequently result in reduction of the probability of occurrence of the 
hazard. 

. In POSSIBLE CONTROLLING MEASURES AND REMARKS, describe actions that can be taken or 
procedural changes that can be made to prevent the anticipated hazardous event or critical failure from 
occurring. Enter name(s) of related analysis and reference number(s) and which approach is being 
proposed: Design Change, Procedures, Special Training, etc. 

• In RESOLUTION, describe changes made or steps taken relative to design and/or procedures, training, etc., 
to eliminate or control the hazard. 


4.2.5.7 Software Hazard Effects Analysis (SHEA) 

PURPOSE The Software Hazard Effects Analysis (SHEA) is a software design 

evaluation and validation tool used to identify errors generated from 
incorrect or inadequate specifications of software functions. A software 
fault causing a resultant harmful system function is a software hazard. 

Software faults can be described in three forms: 

• Error generated through coding the software 

• Faults due to incorrect software specifications implemented by the 
function developer 

• Faults due to hardware failures that affect changes in coding 
software 

A software hazard can be any of four types: 

• An undesired signal causing an unwanted event 

• An undesired signal causing an out-of-sequence event in the 
response 

• An undesired signal preventing the occurrence of a necessary 
action or response 

• An undesired signal causing an event to be out of tolerance 

The SHEA concentrates on potential safety problem areas in the software. 
The purpose of the SHEA is to provide an early study of the software 
design for possible hazards and to initiate appropriate actions to eliminate/ 
control hazards. 

PROCEDURE The initial step in the analysis is to identify the safety critical areas of the 

system and their functional paths. These paths may contain hardware as 
well as software elements. Focus the analysis on the software functions 
within each system functional flow path. Whether the coded instructions are 
stored in software or firmware, analysis of the system in question for 
hazardous occurrences should include an analysis of the stored coded 
instructions. 

The SHEA will be conducted on identified software fault conditions, and will 
proceed from a qualitative to a quantitative analysis as the design 
develops. When the SHEA indicates a potential problem, it will be made 
known to the responsible engineer in order to initiate proper action. The 
SHEA will be reviewed on a continuous basis to verify that software design 
modifications do not add hazards to the system. 
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The SHEA should be developed in conjunction with FMEA. 

RESULTS The SHEA wiii provide information to evaiuate identified software reiated 

hazards, identify safety criticai areas in software design and provide inputs 
to safety design criteria and procedures. The iatter wiii inciude provisions 
and aiternatives to eiiminate or controi aii unacceptabie and undesirabie 
software reiated hazards based on their combination of severity and 
probabiiity of occurrence, and to identify criticai items. 

DOCUMENTATION Document the analysis to show compliance with the specified system 
safety requirements and to track the corrective action. 


INSTRUCTIONS FOR COMPLETTNG THE SHEA FORM: 

• In Contract No., enter the contract number for which the SHEA is being performed. 

• In Contractor, enter the name of the Contractor responsible for the SHEA. 

• In SHEA No., enter the SHEA number which will be coded and sequentially numbered by each Contractor 
for each system. This coding sequence will be utilized for all related predictions and analysis. 

• In Rev. No, enter the revision number of the SHEA to indicate the latest status. 

• In System, enter the nomenclature of the applicable system. 

• In Subsystem, enter the nomenclature of the subsystem as broken out from the system and which includes 
the item undergoing SHEA. 

• In Document No., enter the document number of the software document for the specific software function 
being analyzed. 

• In Sheet _ of _, enter the individual sheet number and the total number of sheets contained in this analysis. 

• In Prepared by _, Date, the preparer will sign and enter the date of issue or completion on each sheet of the 
analysis. 

• In Reviewed by _, Date -, the reviewer will sign and enter the date of review on each sheet of the analysis. 

• In Approved by _ Date -, the Contractor's Project Manager will sign to approve and enter the date of 
approval on each sheet of analysis. 

• In SOFTWARE FUNCTION AND DESCTIPTION, enter the nomenclature and brief functional description of 
the software function within the specified module, including commands, data input or control function 

• In SYSTEM MODE, enter state of the system when the software related fault condition occurs. (See 
Definitions) 

• In HAZARD DESCRIPTION, describe a software fault condition, which could lead to an accident involving 
potential injury death or equipment damage. 

• In PROBABILITY OF OCCURRENCE, enter the probability of occurrence of the software fault condition, 
measured in events per million hours of operation. Identify data source, such as experience in similar 
applications, etc. 

• In POTENTIAL CAUSE, enter the most likely primary and secondary causes that can potentially contribute 
to the presence of the hazard. 

• In EFFECT ON SUBSYSTEM /SYSTEM, describe the effect that the software fault condition may have on 
the module and the next higher level, i.e., subsystem or system element in terms of inputs and outputs, and 
in terms of system safety and operational impact (e.g. delay, inconvenience, injury, damage, fatality, etc.) 

• In HAZARD RISK INDEX, enter a combination of the qualitative measure of the worst potential consequence 
resulting from the hazard, and its probability of occurrence (e.g., lA, MB, etc.), under the following conditions: 

• In INITIAL, enter the designation for hazard risk index estimated prior to implementation of the controlling 
measures. 

• In RESIDUAL, enter the designation for hazard risk index estimated following the adoption/implementation 
of the controlling measures. This may frequently result in reduction of the probability of occurrence of the 
hazard. 
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• In POSSIBLE CONTROLLING MEASURES AND REMARKS, describe actions that can be taken in the 
software, firmware, or procedural changes that can be made to prevent the anticipated hazardous event 
from occurring. If changes cannot be implemented in software or firmware, propose external controls in 
hardware or other procedural changes. As appropriate, enter name(s) of related analysis and reference 
number(s) and which approach is being proposed: i.e., software, firmware, hardware design change, 
procedures, special training, etc. 

• In RESOLUTION, describe changes made or steps taken relative to design and/or procedures, training, etc., 
to eliminate or control the hazard. 


4.3 Threat and Vulnerability Assessment Process 

Planning in advance of day-to-day passenger rail crimes, terrorist acts, or other security incidents is 
essential to providing CHST passengers and employees with a safe and secure environment. A breach 
in security may result in serious injuries or death, destruction of property and facilities, and/or the inability 
to continue CHST system operations to the region. To evaluate the susceptibility to potential threats and 
to design corrective actions that can reduce or mitigate the risk of serious consequences from a security 
incident, a Threat and Vulnerability Assessment (TVA) will be initiated during the preliminary phases of 
the CHSTP. The assessment will be reviewed and updated at each subsequent phase. The TVA 
process consists of four activities 

• Identification of critical assets of the CHST system 

• Analysis of the threats against these assets 

• Identification of potential vulnerabilities within the proposed CHST system 

• Summary analysis of security incident consequences 

The TVA Process will identify the likelihood of specific threats that may endanger railroad assets (people 
and property); the potential vulnerabilities associated with the design of the CHST system; and mitigation 
efforts that can be designed into the CHSTP to reduce the risk and to minimize the consequences of 
identified potential criminal and terrorism activities. It will also identify future security training needs of 
transit personnel and the necessity for security procedures. The Security Risk Assessment will be 
protected under Sensitive Security Information (SSI) and shared only with those persons with a need to 
know. 

4.3.1 Asset Identification 

Assets are defined as people and property. Project assets include the following: 

• People - passengers, employees, visitors, contractors, vendors, surrounding communities, and 
others who come into contact with the transit system 

• Property - fixed infrastructure, rolling stock, software, plans and procedures 

Property assets associated with the CHSTP will be identified during the TVA process and included as a 
listing in the Threat and Vulnerability Assessment Report. 

4.3.2 Asset Criticality Determination 

Assets will be prioritized in terms of criticality. Most weight will be given to those assets that present the 
greatest threat to life safety or service disruption. In making this determination, consideration will be 
given to the following: 

• Impact on CHST system passengers, employees, and first responders 

• Impact on CHST system operations 
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• Economic value of the asset, including current and replacement value 

• Intrinsic value of the asset to a potential adversary 

• Asset location to other critical assets 

4.3.3 Identification of Threats Against Critical Assets 

Threats are defined as specific intentional acts that will damage the system, its facilities, or its patrons. 
Passenger rail agencies face security threats from three primary classifications of crime: crimes against 
persons, crimes against property, and other crimes committed on railroad property. Other crimes 
committed on railroad property generally are minor and affect quality of life. They degrade the quality of 
transportation service and interfere with passengers’ use of the transportation system. The majority of 
crimes committed do not pose a physical threat to passengers but may erode passengers' sense of 
security and make passengers feel intimidated. 

The threat analysis will define the level or degree of threats against the proposed rail system. 

4.3.4 Threat Scenarios 

Threat scenarios will be developed to identify and evaluate vulnerabilities that may make the asset 
susceptible to an attack. Scenario development also identifies impacts of threats on critical assets and 
promotes mitigation strategies and capability needs. The scenarios are intended to represent creditable, 
real-world events and, as such, will be derived primarily from other operating systems’ experiences, FTA 
and Transportation Security Administration resource documents, and local crime report information. 

4.3.5 Vulnerabilities 

Vulnerability is the susceptibility of the system to a particular type of security incident or event that can be 
taken advantage of to carry out a threat. Vulnerabilities may surface as a result of the following: 

• Design and construction of the stations, trackway, wayside facilities, park-and-ride lots, aerial 
structures, underground structures, operations and maintenance facilities, and central control 

• Equipment and technology used 

• Operating procedures 

• Policing and security practices 

A vulnerability analysis will be prepared to identify specific weaknesses with respect to how the new 
facility or system may invite and permit a threat to be accomplished. 

4.3.6 Security Incident Frequency 

The likelihood of a security incident or event affecting a system or facility will be categorized as follows: 

• High - Indicates that a definite threat exists against the asset and that the adversary has both the 
capability and intent to attack or commit a criminal act, and that the asset is targeted on a frequently 
recurring basis 

• Frequent - Indicates that a credible threat exists against the asset based on knowledge of the 
adversary’s capability and intent to attack or commit a criminal act against the asset, based on related 
incidents having taken place at similar assets or in similar situations 

• Occasional - Indicates that there is a possible threat to the asset based on the adversary’s desire to 
compromise similar assets 

• Seldom - Indicates that there is a low threat against the asset and that few known adversaries would 
pose a threat to the asset 
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• Never - Indicates no credible evidence of capability or intent and no history of actual or planned 
threats against the asset 

Table 4-4 describes the probability characteristics of a security incident or event. The probability 
categories - Levels A, B, C, D, and E - will be used in the Security Criticality Matrix. 


Table 4-4 Security Event Probability Categories 


Description 

Level 

Specific Individual Asset 

Fleet or Inventory 

High 

A 

Likely to Occur Frequently 

Continuously Experienced 

Frequent 

B 

Will Occur Several Times in Life of an 
Asset 

Will Occur Frequently 

Occasional 

C 

Likely to Occur Sometime in Life of an 
Item 

Will Occur Several Times 

Seldom 

D 

Unlikely but Possible to Occur in the Life 
of an Item 

Unlikely but can Reasonably be 
Expected to Occur 

Never 

E 

So Unlikely it can be Assumed 
Occurrence May not be Experienced 

Unlikely to Occur but Possible 


4.3.7 Security Incident Severity 

In addition to threats, the worst-case consequences of security incidents will be evaluated. Consequence 
severity is defined as the degree of injury or amount of damage that may be expected from a successful 
attack or criminal act against an asset. Examples of consequences include injuries to the public or to 
CHST system personnel, loss of equipment causing financial losses, and disruption to CHST system 
operations. Severity categories will be defined to provide a qualitative measure of the result of a security 
breach and are summarized in Table 4-5. 


Table 4-5 Threat Severity Categories 


Category 

Severity 

Characteristics 

1 

High 

Death or System Loss or Extensive Damage 

2 

Moderate 

Severe Injury or Moderate System Damage 

3 

Low 

Minor Injury or Minor System Damage 


4.3.8 Security Criticality Matrix 

The severity of a threat and the likelihood of occurrence will be combined into a risk level criticality matrix. 
The consequences will be assessed both in terms of severity of impact and probability of occurrence for a 
given threat. The criticality matrix organizes the resulting consequences into categories of high, serious, 
and low. The matrix will help to prioritize consequences and to focus available resources on the most 
serious threats requiring resolution while effectively managing the available resources. Threats with 
vulnerabilities identified as high may require further investigation and indicate that the condition cannot 
remain as-is but must be mitigated. A serious consequence in the matrix indicates that a countermeasure 
should be implemented, if at all possible, within fiscal constraints. A low consequence means that it is 
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acceptable to allow the risk without providing any countermeasures. The Security Criticality Matrix Is 
shown In Table 4-6. 


Table 4-6 Criticality Matrix 


Frequency of 
Occurrence 

Vulnerability Categories 

1 

High 

II 

Moderate 

III 

Low 

(A) High 

H (lA) 

H (IIA) 

M (IIIA) 

(B) Frequent 

H (IB) 

H (IIB) 

M (IIIB) 

(C) Occasional 

H (1C) 

M (IIC) 

L(IIIC) 

(D) Seldom 

M (ID) 

L(IID) 

L(HID) 

(E) Never 

M (IE) 

L(IIE) 

L(IIIE) 


Hazard Risk Index 


Risk Decision Criteria 


lA, IB, 1C, IIA, IIB 
ID, IE, lie, IIIA, IIIB 

IID, HE, me, HID, HIE 



High (H) Vulnerability must be mitigated 

Moderate (M) Vulnerability should be mitigated if 
possible within fiscal constraints 

Low (L) Vulnerability is acceptable with review 

by the Authority 


Source: Adapted from FTA’s Public Transportation System Security and Emergency 
Preparedness Planning Guide 


4.4 Verification and Vaiidation Documentation 

Each identified safety hazard and security risk will be managed to resolution through the Verification and 
Validation (V&V) methodology and documented in the Requirements Management Tool database system 
adopted by the CHSTP. The V&V methodology and documentation requirements are described in Section 
7.0 of this SSMP. 
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5.0 DEVELOPMENT OF SAFETY AND SECURITY DESIGN CRITERIA 
5.1 Prevention Through Design 

Hazards can be resolved by deciding to either assume the risk associated with the hazard or to eliminate 
or control the hazard. The Prevention Through Design principle incorporates safety considerations into 
the early design of a system element so as to avoid, eliminate, or mitigate hazard risk to a level as low as 
reasonably practicable. The following order of precedence shall be applied when incorporating safety 
considerations into design: 

1. Avoidance : Develop concepts of operations, basis of design, or general system requirements to 
avoid the introduction of hazards to the system. 

2. Elimination . Design, redesign or retrofit to eliminate (i.e., design out) the hazards through design 
selection. This strategy generally applies to acquisition of new equipment or expansion of existing 
systems; however, it can also be applied to any change in equipment or individual subsystems. 

3. Substitution for Minimum Risk . If an identified hazard cannot be eliminated, reduce the associated 
risk to an acceptable level. This may be accomplished, for example, through the use of fail-safe 
devices and principles in design, the incorporation of high-reliability systems and components and 
use of redundancy in hardware and software design. 

4. Enqineerinq Controls . Hazards that cannot be eliminated or controlled through design selection will 
be controlled to an acceptable level through the use of fixed, automatic or other protective safety 
design features or devices. This could result in the hazards being reduced to an acceptable risk level. 
Safety devices may be part of the system, subsystem or equipment. Examples of safety devices 
include interlock switches, protective enclosures and safety pins. Care must be taken to ascertain that 
the operation of the safety device reduces the loss or risk and does not introduce an additional 
hazard. Safety devices will also permit the system to continue to operate in a limited manner. 
Provisions will be made for periodic functional checks of safety devices. 

5. Provide Warninq Devices . When neither design nor safety devices can effectively eliminate nor will 
control an identified hazard, devices shall be used to detect the hazardous condition and generate an 
adequate warning signal to provide for personnel remedial action. Warning signals and their 
application will be designed to minimize the probability of incorrect personnel reaction to the signals 
and will be standardized within like types of systems. Warning signals and their application should 
also be designed to minimize the likelihood of false alarms that could lead to creation of secondary 
hazardous conditions. 

6. Administrative Controls . Where it is not possible to eliminate or adequately control a hazard through 
design selection or use of safety and warning devices, procedures and training will be used to control 
the hazard. Special equipment operating procedures can be implemented to reduce the probability of 
a hazardous event and a training program can be conducted. The level of training required will be 
based on the complexity of the task and minimum trainee qualifications contained in training 
requirements specified for the subject system element and subsystem. Precautionary notations in 
manuals will be standardized. Safety critical tasks, duties and activities related to the system element 
and subsystem will require certification of personnel proficiency. However, without specific written 
approval, no warning, caution or other form of written advisory will be used as the only risk reduction 
method for unacceptable and undesirable hazards. 

7. Personal Protective Equipment and Guards: Where no other higher-level alternative mitigations are 
possible, the use of personal protective equipment or the installation of guards will be used to mitigate 
the hazard. Personal protective equipment and guards may be used to supplement other higher-level 
mitigations, but when they are the only mitigation applied they are to be used only when no other 
alternatives exist. 
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5.2 Development of Design Criteria 

Design criteria are deveioped from the engineering experience of the design team obtained from 
numerous other raii projects, as weii as the foiiowing sources: 

• Formai hazard anaiyses, inciuding Preiiminary Hazard Anaiysis 

• Threat and Vuinerabiiity Assessments 

• Federai Raiiroad Administration reguiations found in Code of Federai Reguiations Titie 49, Parts 
200-299 

• Caiifornia Pubiic Utiiities Commission (CPUC) Generai Orders 

• Caiifornia Buiiding Codes 

• Caiifornia State Fire Marshai’s Office direction and recommendations 

• Locai buiiding codes and Fire Marshai recommendations 

• Nationai Fire Protection Association (NFPA) 

• American Pubiic Transportation Association (APTA) 

• American Raiiway Engineering and Maintenance-of-Way Association(AREMA) 

• Underwriters Laboratories (UL) 

• Safety and security recommendations of the Department of Homeiand Security (DHS), Transportation 
Security Administration (TSA), and the Federai Transit Administration (FTA) 

• Other industry or technicai standards 

CHSTP wiii conduct Preiiminary Hazard Anaiysis and Threat and Vuinerabiiity Assessment during the 
Preiiminary Engineering phase to aid in defining safety and security design criteria. 

Design criteria are deveioped to address system safety and security requirements appiicabie to the entire 
system. System safety and security requirements for each specific design eiement wiii be incorporated 
into the corresponding eiement design criteria contained in the CHSTP Design Criteria. There are no 
separate sections in the CHSTP Design Criteria specificaiiy identified as “safety and security design 
criteria.” 

The processes described in the CHSTP Verification and Vaiidation Management Pian (WMP) wiii ensure 
that the design criteria and the basis of design report wiii incorporate safety and security requirements 
into the project design. 

The foiiowing documents have been prepared by the PMT in order to achieve the project’s design 
criteria’s objectives: 

• Basis of Design Report 

• Risk Management Pian and Hazard Log 

• System Requirements 

• Infrastructure Maintenance Pian 

• Design Manuai 

• Standard Drawings 

• Standard Specifications 
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A consistent approach will be utilized within all the engineering efforts and will assist the CHSTP Regional 
Consultant Teams in preparation of their designs. 

The Basis of Design Report defines the key CHST system performance requirements. This document 
serves as the guiding force in establishing the design criteria and development of design standards. The 
key audience for the Basis of Design Report is the Authority, the Program Manager, the Regional Project 
Managers, and the Section Designers. The purpose of the report is to guide the Engineering 
Management Team during the development of engineering criteria and provide the required performance 
levels for the CHST system. 

A Risk Management Pian and Hazard Log will be developed outlining methodologies to ensure that a 
consistent approach to risk assessment and cost are applied throughout the CHSTP. The plan will 
address both system safety risk and project delivery risk, and include a Program level risk register that will 
be regularly updated and maintained. 

The CHSTP System Requirements provides a common platform for which similar Code of Federal 
Regulations, CPUC General Orders, and European Union Technical Specifications for Interoperability, as 
well as other industry best practice and standards, can be collectively presented and assessed at a 
detailed technical level. In addition to guiding and supporting specific technical guidance at the 
subsystem level, the CHSTP System Requirements structure is used to demonstrate how the 
performance objectives of the CHSTP are to be achieved. 

The Infrastructure Maintenance Pian is a base document outlining how the CHST system will be 
maintained. This document sets forth the requirements for maintenance facilities for rolling stock and the 
railway infrastructure, as well as the approximate location and size of supporting facilities. 

Design Criteria have been prepared that is intended to serve as the design requirements for a possible 
Design/Build consortium. The Design Criteria identifies and specifies required elements and 
considerations to ensure a safe and reliable operating railway for the CHSTP. The Design Criteria will be 
supported by Standard Drawings and Standard Specifications as required. 

5.3 Design Reviews 

CHSTP drawings and specifications will be reviewed informally during development and formally during 
preliminary and final design. The purpose of these reviews will be to verify conformance with all of the 
projects design criteria. These reviews are performed by the corresponding PMT discipline design 
personnel, their design supervisors, applicable oversight agencies, representatives from the Regional 
Consultants, and the PMT System Safety and Security staff. 

Design reviews will be scheduled and coordinated so as to permit ample opportunity for comments and 
approvals. After satisfactory resolution of comments, the specifications are “sealed” by professional 
engineers from the Regional Consultants design group and issued for use. 

5.4 Deviations and Changes 

For any instances that arise requiring a possible deviation from the safety-critical or security critical design 
criteria (i.e., physical constraints identified within the projects corridor conflicting with baseline 
requirements), the PMT and the associated segment Regional Consultant during Preliminary Engineering 
(and PMT and design/build contractor during Final Design) will be required to explore all reasonable 
alternatives to provide a design that conforms to the requirements of the existing criteria. If a reasonable 
alternative cannot be developed, the requesting party will submit a Design Variance Request (DVR) to the 
Safety and Security Project Committee (SSPC), whose members include safety and security personnel 
and representatives of the required engineering disciplines. The requesting party will be responsible for 
identifying and resolving any hazards or vulnerabilities related to any deviations. 
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For all contractor-identified deviations, the contractor will conduct a hazard and vulnerability analysis to 
identify any hazards or vulnerabilities resulting from the proposed deviation that may require resolution. 

If the change request is approved, the findings and recommendations will be incorporated into the Final 
Design engineering and construction plans and the Final Design Verification Checklist(s) will be updated 
to reflect the change. 

During the life cycle of the project, the SSPC may also confront design issues that require additional 
hazard analysis or vulnerabilities assessment, the outcome of which may result in requests for design 
changes. Such requests will be submitted to the SSPC for review and processed through the Design 
Variance Request process. 

The PMT is responsible for monitoring all design requests/changes for compliance with the Design 
Criteria or Design Standards documents, including statutory and regulatory requirements and 
requirements specified in any contract. 


Page 45 


HSR 13-06 - EXECUTION VERSION 


6.0 QUALIFIED OPERATIONS AND MAINTENANCE PERSONNEL 

6.1 Operations and Maintenance Requirements 

The PMT Operations and Maintenance Team (OMT) wiii be responsibie for deveioping system operations 
and maintenance requirements that support the safe and efficient operation of the Caiifornia High-Speed 
Train system. Principie activities of the OMT inciude: 

• Provide ongoing operations input to the Engineering Management Team and Regionai Engineering 
teams in the deveiopment of system design eiements 

• Review and comment on Engineering design eiements to ensure responsiveness to operations’ 
functionai requirements 

• Coordinate with FRA on deveiopment of CHSTP System ruies and procedures and their reiationship 
to current reguiations and new reguiations that wiii emerge from the CHSTP. Key categories inciude: 

o Code of Federai Reguiations (CFR) reguiatory issues 

o Raii System Cperating Ruies 

o System Safety Ruies and Procedures 

o Standard Cperating Procedures 

o Emergency Action Pians and Procedures 

• Coordinate with raiiroads, operating agencies/raii service providers and stakehoiders as required 

Personnei staffing requirements for the operation and maintenance of the in-service CHST system wiii be 
estabiished and described in the CHST System Training and Personnei Quaiification Pian, to be 
deveioped prior to the startup of revenue operations. 

Deveiopment of the Cperations and Maintenance Pian for any system or subsystem component wiii begin 
during CHSTP Construction Phase. Position tities, responsibiiities, quaiifications, and training 
requirements wiii be identified consistent with other high-speed raii operating systems using simiiar 
technoiogies and operating characteristics. The magnitude of the in-service CHST system (trains 
operated, vehicies in service, track and CCS systems to maintain) wiii determine staffing ieveis for 
operators, maintainors, and supervisors. 

Additionaiiy, the CHST System Infrastructure Maintenance Requirements Pian (IMRP) estabiishes and 
describes how infrastructure maintenance wiii be pianned and impiemented inciuding methods utiiized 
and resources required. The IMRP specifies the CHST system requirements necessary to meet 
passenger and pubiic safety ieveis that meet or exceed FRA Ciass 6 Reguiatory Safety Standards, 
consistent with FRA’s High-Speed Passenger Raii Safety Strategy. IMRP requirements wiii be 
incorporated into the system Design Criteria during the Preiiminary Engineering phase of the CHSTP. 
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6.2 Operations and Maintenance Pians, Ruies and Procedures 


The following documents will be revised for the CHST system during the Project Construction Phase, in 
preparation for Testing and Startup: 


Passenger Train Emergency 
Preparedness Plan 

Air Brake Operating Instructions 

Electrical Operating Instructions 

Emergency Operating Procedures 

Timetable Special Instructions 

On-Track Safety Rules 

System Safety Program Plan 

Security and Emergency Preparedness 
Plan 


Concept of Operations 

Code of Operating Rules 

Rolling Stock Maintenance Plan 

Infrastructure Maintenance Requirements 
Plan 

Training and Personnel Qualification Plan 
Service/Operating Plan 
Command and Control Facilities Plan 
On-Board Operating Plan 
Passenger Station Operating Plan 


6.3 Training Program 

The PMT will be responsible for ensuring qualified O&M personnel assigned to the CHST system are 
trained to perform pre-revenue and revenue operations. Instruction in safe methods of operation, safety 
requirements, and emergency response procedures will be included in manuals, handbooks, and other 
documentation developed for the training and certification of operations and maintenance personnel. 
Training plans, which include in-house classroom training and on-the-job training and testing, will be 
developed based on the individual characteristics of the equipment or CHST System locations. 

The future CHST system Operators, Instructors and Field Supervisors will undergo familiarization training 
on all operational equipment, rules, plans and procedures. The future Central Control Operations Staff 
(including Superintendents, Supervisors, and Train Dispatchers) will require extensive training and 
qualification on the train control system, in addition to operating rules and procedures, and safety and 
security procedures. 

Positions which will require detailed job descriptions and training programs prior to entering the Testing 
Phase of the CHSTP include, but are not limited to the following: 

• Superintendents 

• Operations Supervisors 

• Train and Engine Service Employees 

• Control Center Supervisors 

• Control Center Train Dispatchers 

• Equipment Maintenance Employees 

• Signal and Communications Employees 

• Maintenance of Way Employees 

• Power and OCS Employees 
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Contractors and suppliers providing equipment and facilities for the CHST system will be responsible for 
developing training plans, training manuals, and conducting training courses for applicable CHST System 
Operations and Maintenance staff. Contractors will be required to develop and implement programs to 
train appropriate Authority personnel in the operation and maintenance of each piece of equipment or 
systems provided in conformance with the CHST System Training and Personnei Quaiification Pian. 

6.4 Emergency Preparedness 

A Passenger Train Emergency Preparedness Pian (PTEPP) will be developed prior to the start of the 
Testing Phase of the CHSTP to prepare for emergency incidents that occur during testing. The PTEPP 
will be further developed and carried over into the start of revenue service. The PTEPP will contain 
emergency preparedness requirements and procedures for the Operations and Equipment Maintenance 
disciplines, in compliance with 49 CFR, Part 239. The PTEPP will identify requirements for a program of 
training (including instructional programs, emergency preparedness drills and tabletop exercises) of 
railroad operating and maintenance personnel and emergency responders. The goal of the PTEPP is to 
verify and validate the following: 

• Adequacy of emergency plans and procedures 

• Readiness of railroad operating and maintenance personnel to perform under emergency conditions 

• Effective coordination between railroad operations and emergency response agencies - police, fire, 
and emergency medical services 

• Familiarization of fire, police, and emergency medical services personnel with the physical and 
operating characteristics of CHSTP operations and inherent hazards 

After-action reviews will be conducted following any major emergency response event or exercise prior to 
the start of revenue operations. A report of the findings will be provided to the Safety and Security Project 
Committee (SSPC). Action items will be tracked by the SSPC to completion through the V&V process. 
Outcomes may include recommendations for revisions to the PTEPP, operating rules or procedures, 
equipment or infrastructure changes, or emergency responder procedures, and changes to training plans 
and training programs pertaining to emergency response and personnel. 

Fire/Life Safety and Security Committees will be established at both a regional and State level as 
described in Section 3.3.3 of this SSMP to provide a vehicle for clear, consistent communication with 
emergency responders. 
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7.0 SAFETY AND SECURITY CERTIFICATION PROGRAM 

7.1 Overview 

The California High-Speed Rail Authority is ultimately responsible for ensuring that all safety-critical and 
security-critical elements of the CHST system are designed, constructed, tested, and made operationally 
ready in a safe and secure manner prior to the start of revenue service. The Safety and Security 
Certification Program describes the responsibilities and processes required to demonstrate that the CHST 
system is safe and secure, in conformance to the FTA Handbook for Transit Safety and Security 
Certification and Federal Railroad Administration (FRA) Regulations 49 CFR 236, Sub-parts H and I for 
Positive Train Control, and other FRA Regulations as applicable. The Safety and Security Certification 
Program applies to all phases of the CHSTP, from preliminary engineering to the start of revenue 
operations, for each segment designed and built for the system. 

The Safety and Security Certification Program follows the verification and validation processes and 
principles as outlined in the Verification and Vaiidation Management Pian (WMP) in that it seeks to verify 
that the safety and security system specifications that are developed as mitigations to known hazards and 
vulnerabilities are carried through in the final design, construction and operational readiness phases. The 
safety and security system specifications are also validated for their effectiveness in mitigating the target 
hazards and vulnerabilities. The verification and validation process will be used to verify and validate the 
safety and security certification checklists. 

The PMT System Safety Manager, in coordination with and in conjunction with the PMT Operations 
Manager and Engineering Manager will be responsible for initiating the safety and security certification 
process during the preliminary engineering phase of the CHST Project. The Program Management Team 
led by the System Safety Manager, will develop a Certifiabie Eiements and Hazards Log (CEHL) for 
safety-critical and security-critical system elements and their associated hazards and mitigations. The 
CEHL will carry though all of the project phases to ensure that hazards identified in the Preliminary 
Engineering Phase are mitigated consistently throughout the project life cycle. 

Hazards and vulnerabilities identified on the CEHL will be analyzed to determine appropriate measures 
for mitigation. Mitigations will provide input to the V&V process, resulting in the development of V&V 
Certifiable Items Lists for each project phase that in turn lead to development of V&V Certifiable Items 
Lists for the subsequent project phase. 

V&V Certifiable Items Lists that are specific to safety and security requirements will be distinctly identified 
as such and tracked in conformance with the VVMP, and collectively make up the verification and 
validation evidence that supports safety and security certification. The PMT System Safety Manager, with 
the assistance of the PMT Security Manager, will have overall responsibility for the administration of the 
Safety and Security Certification Program. 

7.2 Program Goals and Objectives 

The goals of the Safety and Security Certification Program are to verify that identified safety and security 
requirements have been met in the preliminary engineering, final design, and construction phases and to 
provide evidence that the CHST system is safe and secure for revenue service. The objectives of the 
Safety and Security Certification Program are to document the following: 

• Safety and security design criteria are reflected in contract documents 

• Facilities and equipment have been designed, constructed, manufactured, inspected, installed, and 
tested in accordance with safety and security requirements 

• Cperations and maintenance procedures and rules have been developed and implemented to ensure 
safe operations 
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• Training documents have been deveioped for the training of operating and emergency response 
personnei 

• Transportation and maintenance personnei have been trained and quaiified 

• Emergency response agency personnei have been prepared to respond to emergency situations in or 
aiong the CHST system corridor 

• Safety and security systems integration tests have been conducted 

• Aii safety and security reiated issues have been addressed and resoived 

Certification occurs at the beginning of each project phase, and is required for advancing project 
eiements into the next project phase. For exampie, the Finai Design of a bridge structure must be 
certified to meet aii safety and security design criteria prior to construction, and then must be certified to 
have been buiit in conformance to those safety and security design criteria before being piaced into 
operation. This process assures the Authority that CHSTP eiements are safe and secure as they move 
through each successive phase of the project. 

Certification Items that are not compieted prior to moving to the next phase are piaced on an Open Items 
List and tracked to compietion. The Open Items List describes a pian for ciosure of the Certifiabie Items, 
including target dates and an accountable person for closure. 

7.3 Safety and Security Certification Process 

Safety and security certification is managed by the PMT through the oversight and participation of the 
Safety and Security Project Committee (SSPC), and with the ultimate approval of the Authority through 
the Safety and Security Executive Committee. 

The SSPC will be responsible for tracking the progress of the safety and security certification through 
regular review and update of Hazard Log maintained by the PMT Safety Manager. 

Federal Railroad Administration approval to operate will be achieved through final safety and security 
certification prior to the start of revenue service. 

7.3.1 Certifiable Elements and Hazards 

A Certifiable Elements and Hazards Log will be established during the Preliminary Engineering Phase. 
The CEHL identifies the major elements of the CHST system that are to be proven to be safe and secure 
prior to the startup of revenue service and acts as a guide for the certification process throughout project 
life cycle. Hazards associated with each major element that can reasonably be expected to occur in the 
CHST system will be identified through a System Hazard Analysis process and placed on the CEHL. The 
CEHL will be developed by the PMT System Safety Manager in collaboration with the other PMT 
discipline technical experts and presented to the SSPC for review and approval. The CEHL will be 
updated and expanded following the completion of analyses during the various phases of the CHSTP. A 
sample CEHL is shown in Figure 7-1. 
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Figure 7-1 Sample CEHL 


Certifiable Elements and Hazards Log 


Certifiable Elements 

Hazards 

Mitigations 

System Sub- 

No. Elements Elements 

Date 

No. Identified Description 

Mitigation Description 

PE Phase 

Reference 

FU Phase 

Reference 

1.1 

R-O-W Generally 

















1.1.1 

R-O-W Generally 

Derailment 

1.1.1.1 

&'30/2011 

Track Failure • Cracked or broken track 
component 

1 j inipiemeni an inspection program and remedial 
maintenarKe methodology that meet or exceed FRA 
Guidelines for Track Class to operate at 220 MPH (when 









2) Imptement track component quality standards that meet or 
exceed AREMA requirements. 

DM S.4.2 

DM 5.5.1 








31 Instal on-board dnraiItTMHil t»ntainmont rtavxMS 









41 Instal in-track derailment containment elemenLs. 









5) Require positive indication of broken rail through track 















1.1.1.2 

8/30/2011 

Track Abrtortnallty • Worn track components, 
cross-level 

1) Implement an inspection program arxf remedial 
maintenance methodology that meet or exceed FRA 
Guidelines for Treck Class to operate at 220 MPH (when 









2) Implement track component quality standards that meet or 
exceed AREMA requirements. 

DM 5.4 2 

DM5.5.1 








31 Instal nrvhoard dorailmnni raintainmont davims 









41 Instal in-track derailment containment elements 









5) Require positive indication of broken rail through track 















1.1.1.3 

8/30/2011 

Roadbed failure due to subsiderKe. shifting 

1) Perform geotechnical analysis and Incorporate results into 

DM 10.5 








2) Instal appropnate drainage. 

DM 8.4.3 








31 In.soertion and maintenance of drainaoe svslems 















1.1.1.4 

8/30/2011 

Washout caused by flooding or scouring 

1) Perform hydraukcs analysis and incorporate results into 

DM 10.5 








2) Instal appropriate drainage. 

DM8.4 3 








31 Insoecbon and maintenaiKe of drainaoe systems. 









4) Ideotification and monitoring byO&M of potential 













Note - Figure 7-1 is a sample representation only. Refer to current CEHL for identified hazards and required 
mitigations. Due to space considerations Figure 7-1 only depicts Preliminary Engineering and Final Design phases; 
subsequent phases will be added as the project matures. 


7.3.2 Identification of Hazards and Vulnerabilities 

Safety and security are addressed during project design through the identification of safety and security 
design criteria for each certifiabie eiement in the CEHL. The principie means of identifying safety-reiated 
design criteria is a Preiiminary Hazard Anaiysis conducted by the PMT Safety Manager in coiiaboration 
with the other PMT discipiine technicai experts. Other anaiyses are conducted as necessary. These 
anaiyses inciude Faiiure Mode Effects Anaiysis (FMEA), Interface Hazard Anaiysis (IHA), Software 
Hazard Effects Anaiysis (SHEA), Fauit Tree Anaiysis (FTA) and Operations Hazard Anaiysis (OHA). See 
Section 4.0 for a detaiied description of these anaiysis methods, inciuding sampie work sheets. 

The principie means of identifying security-reiated design criteria are Threat and Vuinerabiiity 
Assessments (TVA) conducted by the PMT Security Manager in coiiaboration with the other PMT 
discipiine technicai experts. Other anaiyses are conducted as necessary. The TVA wiii be deveioped in 
the form of a technicai report. 

7.3.3 Tracking of Hazards and Vulnerabilities 

The Certifiable Elements and Hazards Log wiii be deveioped and maintained by the PMT System Safety 
Manager and PMT Security Manager coiiaborativeiy. The iog wiii track the process of mitigation efforts 
throughout the CHSTP iife cycie. Reguiar updates of the iog wiii be presented to the SSPC and inciuded 
in the quarteriy reports to the SSEC. 

7.3.4 Design Verification 

Hazard and vuinerabiiity mitigations wiii be identified as output from the hazard anaiysis (PHA, TVA, 
FMEA, IHA, SHEA, FTA and/or OHA). These mitigations wiii be required to be incorporated into Finai 
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Design drawings in order to meet the projected Residuai Hazard Risk Index. The verification and 
vaiidation process, as identified in the CHSTP Verification and Vaiidation Management Pian, wiii be 
utiiized for verifying that the identified mitigations have been satisfactoriiy incorporated into the Finai 
Design. The tooi for tracking V&V compiiance is the Certifiabie Items List. A sampie Certifiabie Items List 
is shown in Figure 7-2. 


Figure 7-2 Sample Certifiable Items List 


Hazard # 


Project Phase 
Item 


CHSTP SAFETY & SECURITY CERTIFICATION PROGRAM 
CERTIFIABLE ITEMS LIST 

_ Hazard Description_ 


Developed By 


Evidence of 


Name 

Verification 


Means of 


# Description Criteria/Requirement Dale Initials Verification 

1 






2 






3 






4 






5 






6 






7 






8 






Comments / 

Restrictions 



Safety Manager Review 


SSPC Review 


The design/buiid contractor shall be responsible for the development of site-specific hazard analysis 
(principally PHAs, but also TVA, FMEA, IHA, SHEA, FTA and OHA as appropriate) required as the safety- 
critical or security-critical design criteria are applied to specific, local CHST system elements. The 
design/build contractor shall also be responsible for developing the V&V Certifiable Items Lists as output 
from the site-specific hazard analysis. The design/build contractor will be responsible for completing the 
Certifiable Items Lists applicable to their specific project scope during the Final Design Phase. The 
design/build contractors will identify in the resolution section of the Certifiable Items Lists objective 
evidence that demonstrates compliance with the required safety-critical or security-critical design criteria. 
Requests for variance from the requirements identified in the Certifiable Items Lists will be handled 
through the process identified in Section 5.4. 

All completed Certifiable Items Lists, along with associated supporting material, will be compiled by the 
design/build contractor and available for audit by the PMT System Safety Manager upon request. When 
all Certifiable Items Lists for a particular element or infrastructure component are completed, a Final 
Design Certificate of Conformance Package (consisting of a Certificate of Conformance for the project 
element, all completed Certifiable Items Lists, and all supporting documentation such as hazard analysis, 
drawings, and design element descriptions) will be compiled and forwarded to the PMT System Safety 
Manager. The PMT System Safety Manager will review the Final Design Certificate of Conformance 
Package for completeness and content accuracy, and will then forward the Final Design Certificate of 
Conformance Package to the SSPC for review and acceptance through the issuance of a Statement of 
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No Objection (SONO). If accepted by the SSPC, the Final Design Certificate of Conformance Package is 
forwarded to the SSEC for ultimate Authority review and approval. A sample Certificate of Conformance 
is shown in Figure 7-3. 


Figure 7-3 - Certificate of Conformance (Sampie) 


Certificate of Conformance 

CIL#_ CILName:_ 

Project Phase_Date of Issuance_ 

Description:_ 


This is to verify that the above-named Certifiable Item has been verified for safety and 
security certification in conformance with the CHSTP Design Criteria and safety-critical 
and security-critical requirements with the following exceptions: 

□ No Exceptions 

Exceptions: 


Project Manager - Contractor (Signature) 

Project Manager - Contractor (Print) 

Date 

Project Safety Officer - Contractor (Signature) 

Project Safety Officer - Contractor (Print) 

Date 

Contractor Company Name 

Independent 3"^ Party Audit (Signature) 

_ 

Independent 3"^ Party Audit (Print) 

Date 


Independent S'" Party Company Name 
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The Certifiable Items Lists will be expanded by the design/build contactor to include a Construction 
section upon completion of the Final Design phase of a particular CHST system element. The safety- 
and security-critical items identified during the Final Design Phase will be carried over into the 
Construction Phase. 

The design/build contractors will be responsible for completing the Certifiable Items Lists that apply to 
their scope of work during the Construction Phase. The design/build contractors shall identify in the 
resolution section of the Certifiable Items Lists objective evidence that demonstrates compliance with 
design features that are identified as safety-critical or security-critical. Requests for variance from the 
requirements identified in the Certifiable Items Lists will be handled through the process identified in 
Section 5.4. 

All completed Critical Items Verification Checklists, along with associated supporting material, will be 
compiled by the design/build contractors and available for audit by the PMT System Safety Manager upon 
request. When all Certifiable Items Lists for a particular element or infrastructure component are 
completed, a Construction Certificate of Conformance Package (consisting of a Certificate of 
Conformance for the project element, all completed Certifiable Items Lists, and all supporting 
documentation such as hazard analysis, field reports, photographs, and drawings) will be compiled and 
forwarded to the PMT System Safety Manager. The PMT System Safety Manager will review the 
Construction Certificate of Conformance Package for completeness and content accuracy, and will then 
forward the Construction Certificate of Conformance Package to the SSPC for review and acceptance 
through the issuance of SONO. If accepted by the SSPC, the Construction Certificate of Conformance 
Package is forwarded to the SSEC for ultimate Authority review, approval and certification. 

7.3.5 Testing Verification 

The Certifiable Items Lists will be expanded by the PMT System Safety Manager to include a Testing 
section upon completion of the Final Design phase of a particular CHST System element. The safety- 
and security-critical items for systems identified during the Final Design and Construction Phases will be 
carried over into the Testing Phase. In addition, the relationships between systems and subsystems will 
be analyzed for systems integration requirements as identified in a Systems Integration Test Plan, and 
Certifiable Items Lists for integrated testing will be developed to prove the integration of associated 
systems. 

The Systems Contractor(s) will be responsible for any additional analyses that are required (PHA, TVA, 
FMEA, IHA, SHEA, FTA and OHA as appropriate), as the safety-critical or security-critical testing criteria 
are developed and applied to specific CHST system or subsystem elements. The systems contractor(s) 
will be responsible for developing and completing the Certifiable Items Lists that apply to their scope of 
work during the Testing Phase. The system(s) contractor must identify in the resolution section of the 
Certifiable Items Lists objective evidence that demonstrates compliance with testing requirements that are 
identified as safety-critical or security-critical. Requests for variance from the requirements identified in 
the Certifiable Items Lists will be handled through the process identified in Section 5.3. 

All completed Certifiable Items Lists for system testing or system integration, along with associated 
supporting material, will be compiled by the systems contractor(s) and available for audit by the PMT 
System Safety Manager upon request. When ail Certifiable Items Lists for a particular system element or 
integrated system relationship are completed, a Testing Certificate of Conformance Package (consisting 
of a Certificate of Conformance for the required system tests, all completed Verification Checklists, and all 
supporting documentation such as hazard analysis, field reports, photographs, and drawings) will be 
compiled and forwarded to the PMT System Safety Manager. The PMT System Safety Manager will 
review the Testing Certificate of Conformance Package for completeness and content accuracy, and will 
then forward the Testing Certificate of Conformance Package to the SSPC for review and acceptance 
through the issuance of SONO. If accepted by the SSPC, the Testing Certificate of Conformance 
Package is forwarded to the SSEC for ultimate Authority review, approval and certification. 
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7.3.6 Startup Verification 

The Certifiable Items Lists will be expanded by the PMT System Safety Manager to include a Startup 
section as the CHST system is prepared for the start of revenue operations. The safety- and security- 
critical items for operational readiness of the CHST System identified during the Final Design, 
Construction and Testing Phases will be carried over into Startup. Certifiable startup items include but 
are not limited to operation plans, emergency preparedness plans, training programs, timetables and 
rulebooks. 

The O&M contractor(s) will be responsible for completing the Certifiable Items Lists that apply to their 
scope of work prior to Startup. The O&M contractor(s) must identify in the resolution section of the 
Verification Checklists objective evidence that demonstrates compliance with requirements for the start of 
revenue operations that are identified as safety-critical or security-critical. The O&M contractor(s) will be 
responsible for any additional analyses that are required (PHA, TVA, FMEA, IHA, SHEA, FTA and OHA 
as appropriate), as the safety-critical or security-critical criteria for startup are applied to specific CHST 
system, subsystem or operational elements. Requests for variance from the requirements identified in 
the Certifiable Items Lists will be handled through the process identified in Section 5.3. 

All completed Certifiable Items Lists for the start of revenue operations, along with associated supporting 
material, will be compiled by the O&M Contractor(s) and available for audit by the PMT System Safety 
Manager upon request. When all Certifiable Items Lists for a particular system or operational element are 
completed, a Startup Certificate of Conformance Package (consisting of a Certificate of Conformance for 
the startup requirements, all completed Certifiable Items Lists, and all supporting documentation such as 
hazard analysis, field reports, photographs, and drawings) will be compiled and forwarded to the PMT 
System Safety Manager. The PMT System Safety Manager will review the Startup Certificate of 
Conformance Package for completeness and content accuracy, and will then forward the Startup 
Certificate of Conformance Package to the SSPC for review and acceptance through the issuance of 
SONO. If accepted by the SSPC, the Startup Certificate of Conformance Package is forwarded to the 

SSEC for ultimate Authority review, approval and certification. 

7.3.7 Open Items List 

Certifiable Items that cannot be closed prior to the start of the next project phase shall be placed on an 
Open Items List for tracking purposes. The Open Items List will describe the Certifiable Item itself, 
restrictions or conditions that allow permit the movement of the project element to the next project phase, 
a target date for closure, and a person of accountability for the certifiable item. The Open Items List will 
be periodically reviewed by the SSPC for progress and completeness. 

7.3.8 Conditional Use Permit 

Certifiable Items that require placement on the Open Items List will be reviewed by the PMT System 
Safety Manager and additional hazard analysis applied as appropriate. The results of the hazard analysis 
will be incorporated into a Conditional Use permit that describe the conditions or restrictions that allow the 
use or advancement of the certifiable item into the next project phase before certification for that item is 
complete. The Conditional Use permit will be presented to the SSPC for review and SONO. The 
Conditional Use permit will describe all conditions or restrictions associated with the Certifiable Item, and 
an expiration date. Extension of the expiration date will require further review and SONO by the SSPC. 
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8.0 CONSTRUCTION SAFETY AND SECURITY 

8.1 Overview 

The purpose of the construction safety and security program is to define the minimum heaith, safety and 
security requirements to which aii participating CHSTP staff, contractors and subcontractors shaii adhere 
to in fuifiiiing the Authority’s commitment to ensuring a safe and secure construction project. This 
commitment inciudes the prevention of job-reiated injuries and iiinesses for the workers engaged in 
project construction activities, as weii as providing safe and secure conditions during construction of the 
project for the members of the pubiic, who iive, work or travei near to the project work areas. 

Aii appiicabie codes and reguiations must be foiiowed by empioyees engaged in construction activities, 
inciuding but not iimited to: 

• Caiifornia Code of Reguiations Titie 8 Construction Safety Orders 

• Federai Raiiroad Administration reguiations as found at 49 CFR 214, 49 CFR 219, 49CFR225, 49 
CFR228, 49 CFR 236 

• CPUC Generai Orders 

• Other appiicabie federai and state OSHA reguiations 

Contractors wiii be required to deveiop a Site-Specific Heaith and Safety Pian (SSHASP) and a Site- 
Specific Security Pian (SSSP) that identifies the iocai conditions and requirements pecuiiar to the site and 
work to be performed, and is in compiiance with the above reguiations. 

Contractors are responsibie for ensuring the compiiance of their empioyees and subcontractor’s with the 
SSHASP and SSSP. 

8.2 Construction Safety and Security Program Elements 

The CHSTP Construction Safety and Security Program (Appendix B) describes the basic programmatic 
requirements for construction safety and security, compiiance to which is required through the CHSTP 
construction contract documents. Basic eiements of the construction Safety and Security Program 
inciude Site-Specific Heaith and Safety Pians, which are described beiow. 

8.2.1 Site-Specific Heaith and Safety Pians 

The Construction Contractor wiii be responsibie for aii aspects of safety and security at the project work 
site, as required through the standard contract provisions. The Construction Contractor wiii be required to 
deveiop and impiement a Site-Specific Heaith and Safety Pian (SSHASP) specific to its contract work on 
the CHSTP, in conformance with the CHSTP Construction Safety and Security Program. A site-specific 
Job Hazard Assessment (JHA) wiii be performed by the Contractor to determine the safety processes, 
equipment utiiized, and personnei assignments to be provided by the Contractor at each project work site. 

The SSHASP wiii provide detaiis on how the contractor wiii fuifiii the contract safety and security 
requirements, and wiii be submitted to the PMT for review and approvai. 

8.2.2 Construction Safety and Security Management 

The construction contractor wiii be responsibie for deveioping and impiementing a Site-Specific Heaith 
and Safety Pian and Site-Specific Security Pian in conformance with the requirements of the CHSTP 
Construction Safety and Security Program. The construction contractors wiii aiso be responsibie for 
demonstrating seif-certification of safety-criticai and security-criticai certifiabie items as identified through 
the CHSTP V&V process and documented in the V&V Requirements Management Tooi database. 

The CHSTP Construction Manager wiii be responsibie for the management oversight of the entire 
construction safety and security program. The CHSTP Construction Management staff wiii verify 
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contractor compliance with the safety and security requirements of the approved SSHASP and other 
safety/security related contract provisions, and applicable regulations throughout the construction, testing 
and start-up phases of the CHSTP. The CHSTP Construction Management staff will audit Construction 
contractor submissions involving safety and security designs, testing, construction activities and V&V 
Conformance Checklists. Results will be reported to the Safety and Security Project Committee in 
compliance with the CHSTP Safety and Security Certification Program described in Section 7.0. 

8.2.3 Stop Work Order 

The CHSTP construction management plan will establish procedures regarding control of nonconforming 
work and stop work orders. In the event that a failure to meet safety and/or security requirements results 
in imminent danger to workers or the general public or property, a Stop Work Order will be issued by the 
CHSTP Construction Manager. 

The CHSTP stop-work procedure shall apply to all construction activities. The stop-work procedure will 
be used only where imminent danger situations exist. An “imminent danger” is any condition or practice 
that could reasonably be expected to cause death or serious physical harm immediately or before the 
danger can be eliminated by normal means. 

Stop-work orders will be in effect until the issuing authority determines that the problem(s) is resolved and 
the work area(s) is brought to satisfactory conformance with health, safety and security requirements. 

8.3 Construction Phase Hazard and Vulnerability Analysis 

The CHSTP is committed to identifying and managing construction safety hazards and security 
vulnerabilities as subdivisions within the general issue of project risk. Risk in this context includes those 
events that, if they do occur, could impact on safety, security, the environment, CHSP System’s interests 
or the interests of third parties, including property owners and municipalities. 

8.3.1 Risk Management 

Risk Management is utilized by the CHSTP as a decision support tool, specifically identifying areas of 
high risks, which are reviewed to ensure that all reasonable practicable measures are taken to mitigate 
them. Risk Control measures shall be identified for all risks to the Project. These include financial and 
schedule risks as well as property, safety and security risks. 

For the construction phase, prior to finalization of the contract documents, surveys to identify any unique 
hazards, threats, or vulnerabilities that may exist for the particular construction elements will be 
conducted and actions to mitigate these hazards or vulnerabilities will be included in the Special 
Provisions of the specific contract package. 

During construction, each contractor shall co-operate with CHSTP staff and other interested parties in 
providing information needed in connection with risk management of its contract works. The contractor 
will prepare and submit to the PMT Risk Manager a Risk Management Plan for review and acceptance. 
The Risk Management Plan shall be based upon the CHSTP Risk Management strategy and shall 
include a means of monitoring progress in the reduction of the overall number and impact of risks through 
the use of a Risk Register which shall be in a format acceptable to the PMT Risk Manager. Safety 
hazards and security vulnerabilities shall be identified as risks, and will be included as special categories 
in the Risk Register. 

During the contract each contractor’s Risk Register shall be updated monthly and submitted to the PMT in 
hard copy and electronic formats. The risks identified by the contractor shall be integrated into the 
CHSTP Risk Register. 

The Contractor’s Risk Management process shall ensure that as far as is reasonably practicable: 

• All risks are identified 
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• Judgments are made as to risk importance 

• Risk exposure is reduced to acceptabie ieveis 

• Risk controi measures are assessed against cost benefit as appropriate 

• Controi measures are reviewed and managed untii ciose out 

For the top “criticai” risks from the Risk Register each contractor shaii provide a narrative for each Criticai 
risk identified in this category section and the mitigation pian proposed. Safety hazards and security 
vuinerabiiities wiii be treated as separate categories of risk, and wiii be ciassified as Criticai depending on 
specific site conditions. 
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9.0 STATE SAFETY OVERSIGHT REGULATIONS 

9.1 Applicability 

The California High-Speed Train Project does not fall under the Federal Transit Administration 
applicability regulations for State Safety Oversight, described in 49 CFR 659. As such, this section does 
not apply. The Federal Railroad Administration has authority for oversight of safety regulations. 
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10.0 COORDINATION WITH FEDERAL RAILROAD ADMINISTRATION 


10.1 Activities 

The California High-Speed Train Project will design and construct a railroad system that is regulated by 
the Federal Railroad Administration. FRA regulation is by directive under the United States Department 
of Transportation. 

Effective on the date the Railroad begins revenue operations, the following generally applicable federal 
railroad safety regulations from Title 49, Code of Federal Regulations, and any amendments thereto are 
made applicable to the CHSTP, except where the CHSTP is granted relief through an FRA waiver. 

• Part 207, Railroad Police Officers 

• Part 209, Railroad Safety Enforcement Procedures 

• Part 210, Railroad Noise Emission Compliance Regulations 

• Part 211, Rules of Practice 

• Part 212, State Safety Participation Regulations 

• Part 213, Track Safety Standards 

• Part 214, Railroad Workplace Safety 

• Part 215, Freight Car Safety Standards 

• Part 216, Special Notice and Emergency Order Procedures 

• Part 217, Railroad Operating Rules 

• Part 218, Railroad Operating Practices 

• Part 219, Control of Alcohol and Drug Use 

• Part 220, Railroad Communications 

• Part 221, Rear End Marking Device 

• Part 222, Use of Locomotive Horns at Public highway-Rail Grade Crossings 

• Part 225, Railroad Accidents / Incidents: Reports, Classification and Investigations 

• Part 227, Occupational Noise Exposure 

• Part 228, Hours of Service of Railroad Employees 

• Part 229, Railroad Locomotive Safety Standards 

• Part 231, Railroad Safety Appliance Standards 

• Part 232, Brake System Safety Standards 

• Part 233, Signal Systems Reporting Requirements 

• Part 235, Instructions Governing Applications for Approval of a Discontinuance 

• Part 236, Rules, Standards and Instructions Governing the Installation, Inspection, Maintenance and 
Repair of Signal and Train Control Systems, Devices, and Appliances 

• Part 237, Bridge Safety Standards 

• Part 238, Passenger Equipment Safety Standards 
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Part 239, Passenger Train Emergency Preparedness 

Part 240, Qualification and Certification of Locomotive Engineers 

Part 242, Passenger Train System Safety Plans 


The CHSTP will submit to the FRA any plans, programs, and procedures that affect the safe operation of 
the system, or which are required to demonstrate compliance with the applicable regulations. 

Throughout Preliminary Engineering and Final Design phases the CHSTP will communicate with FRA to 
assure knowledge of the system as it is developed. CHSTP will maintain regular contact with FRA during 
development of operating rules, training of maintenance and operating personnel and development of 
operating practices prior to the start of revenue service. 

As detailed in Section 7.0 of this SSMP the CHSTP will manage a safety and security certification 
program to record and demonstrate that all safety and security requirements for the project are identified 
and integrated into the final system. 

10.2 Implementation 

The CHSTP, through the Program Management Team, will maintain communications with the FRA 
representatives throughout the Planning, Preliminary Engineering, Final Design, Construction, and 
Testing and Start-up phases. 

10.3 Coordination Process 

Interface and coordination with FRA will be conducted through the Program Management Team (PMT). 
The PMT will designate those persons authorized to interface with agents of the FRA to assure that 
information and decisions communicated between CHSTP and FRA are consistent, correct and 
authorized. 

The FRA will provide guidance to the PMT with regard to applicable regulations, documents that will 
require formal submission and approval, and how any variances may be processed. 
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11.0 DEPARTMENT OF HOMELAND SECURITY COORDINATION 


There are currently no DHS requirements or security directives that have been issued by the 
Transportation Security Administration (TSA) applicable to new builds, and particularly high-speed rail. 
The Authority will develop a Security and Emergency Preparedness Plan (SEPP) prior to revenue 
operation. The SEPP will fulfill DHS/TSA requirements for an operating railroad, which include 
development of an SEPP, and designating a primary and alternate Security Coordinator and providing 
TSA with names and contact information for 24 hour/7 days per week availability. The Security 
Coordinator will have a direct reporting relationship to the Authority Chief Executive Officer regarding 
matters of security. 

The Authority has established liaison with the TSA Mass Transit and Rail Department through the 
project’s lead security consultant who reports directly to the project operations manager. This liaison has 
been established to ensure all DHS/TSA requirements will be met once the project is complete, and to 
stay current with all security concerns, threats, best practices and developing security regulations that 
affect rail security. 
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APPENDIX A - CALIFORNIA HIGH-SPEED RAIL AUTHORITY ORGANIZATIONAL CHART 


CALIFORNIA 

High-Speed Rail Authority 


Board Members: 

Tom Umberg (Chair), 

Tom Richards, Lynn Schenk. Bob Balgenorth, Jim Hartnett, 
Russell Burns, Oan Richard, Michael Rossi, Matt Toledo. 
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APPENDIX B - CHSTP CONSTRUCTION SAFETY PROGRAM REQUIREMENTS 


1. CHSTP Construction Safety and Security Program 
1.1 Program Goals and Objectives 

The Construction Safety Program is estabiished by the Caiifornia High-Speed Raii Authority (Authority) to 
impiement safety initiatives associated with the construction of the Caiifornia High Speed Train Project 
(CHSTP) and aii other construction, repair, maintenance, and reiated services required by the Authority. 
The Construction Safety Program appiies to aii persons or entities invoived in the warranty service of the 
post-construction Caiifornia High-Speed Train Project, inciuding but not iimited to the Authority and 
Program Management Team personnei, and warranty service Contractors (prime contractors and 
subcontractors). 

Construction Safety and Security Program goais are as foiiows: 

• Prevent personal injuries and property damage or loss 

• Provide safe and secure work environment for employees, contractors, passengers, 
emergency responders, and the public at large 

• To convey the CHSTP Safety and Security Policy Statement to all warranty service 
Contractors and sub-contractors 

• To ensure compliance with the stated objectives and requirements contained in the 
CHSTP Safety and Security Policy Statement; Contractor’s Site-Specific Health and 
Safety Plan (SSHASP); contract provisions; applicable federal, state and local laws 
and regulations; and industry consensus standards 

• To identify specific requirements for the Warranty service Contractors’ workplace safety and 
security programs 

• To identify a process for Authority approval of the SSHASP and SSSP submittals. 

The effectiveness of the Construction Safety Program depends upon active participation, 
cooperation, and compliance by Authority staff. Authority’s Program Management Team (PMT) 
staff, and Contractors (and sub-contractors) project managers, superintendents, supervisors, 
and employees. Direct coordination with and between all parties is essential to the successful 
application of the following objectives: 

• Plan and execute all Work to prevent personal injury, property damage or loss 

• Comply with federal, state, and local laws, ordinances, regulations, industry 
consensus standards; and Authority and contractor regulations, policies, procedures, 
and requirements 

• Implement and maintain a system of prompt identification and correction/abatement 
of unsafe and unhealthy practices and conditions 
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• Implementation and maintain a system of prompt detection and reporting of security 
breaches, incidents of conditions. 

• Prompt notification and investigation of all incidents of injury, damage, or near-miss 
incidents to determine causes and take necessary corrective action 

• Establish and conduct an educational program to stimulate and maintain the interest 
and cooperation of all employees through safety and security meetings and training 
programs 

• Proper utilization of Personal Protective Equipment and all required safety 
equipment/devices 

• Employ capable/competent personnel and develop processes providing safe and 
secure working environments for the construction work force, management facilities, 
the affected public, and private businesses and their properties 

• Establish and maintain a comprehensive security program encompassing personnel, facility, 
and site management in conjunction with emergency planning and response procedures 

1.2 California High-Speed Rail Authority Responsibilities 

The California High-Speed Rail Authority is responsible for ensuring that the CHSTP is designed, built, 
tested, and placed into revenue service in a safe and secure manner. To that end, the Authority is 
responsible for the following: 

• Formulation and implementation of acceptable policies, processes, work practices, 
and standards to promote the goals of the safety and security program. 

• Compliance with existing federal, state, and municipal statutory and regulatory 
safety and health laws, standards, codes, regulations, etc. 

The Authority shall provide oversight and guidance with respect to the application and 
enforcement of the CHSTP Safety and Security Policy Statement (Section 1.25.1 of this contract 
section). The Authority shall audit the Contractor’s activities and documentation to ensure 
compliance with the CHSTP Safety and Security Policy Statement and the approved Site- 
Specific Health and Safety Plan. The Authority may choose to delegate oversight responsibility 
for safety and security to a Program Management Team. Reference to the “Authority” in this 
contract section includes the Authority’s Program Management Team or other designated 
representative. 

1.3 Contractor Responsibilities 

The Contractor is responsible for ensuring safety and security at all of its work sites, including the 
activities of subcontractors. Safety and security management and enforcement for each contract shall be 
administered by employees (direct hire) of the Contractor. This responsibility shall not be delegated nor 
contracted out to subcontractors, suppliers, consultant service/company, or any other persons/agency 
without written approval from the Authority. In compliance with these provisions, the Contractor shall 
perform the following: 
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• Perform a Job Hazard Analysis (JHA) for each job assignment within the scope of the contract for 
which a person may be exposed to incidents of injury or illness. JHAs previously performed by the 
Contractor will be acceptable for use in determining preventative measures if the scope and 
functionality of the jobs under review are justifiably the same. The previously-performed JHAs, 
however, must address the specific characteristics of each site and tasks performed within the project 
scope. JHAs shall be documented in electronic format and available for review by the Authority at 
any time. 

• Develop a Site-Specific Health and Safety Plan (SSHASP) which shall address field work-related 
hazards and mitigation measures. The SSHASP must: 

- Consider all work to be performed by the Contractor (including any activities 

subcontracted); 

- Conform to the Contractor’s corporate work site health and safety program; 

- Conform to applicable workplace safety regulations including but not limited to California 
Code of Regulations Title 8 Construction Safety Orders, Federal Railroad Administration 
regulations as found at 49CFR214, 49CFR219, 49CFR225, 49CFR228, 49CFR236, 
CPUC General Orders, Federal and State OSHA regulations; and, 

- Meet the SSHASP element requirements identified in Section 1.25.4.4 of this document 

• Develop a Site-Specific Security Plan (SSSP) which shall address field work-related 
threats/vulnerabilities and mitigation measures. This plan must: 

- Consider all work to be performed by the Contractor (including any activities 

subcontracted); 

- Conform to the Contractor’s corporate work site security program; and, 

- Meet the element requirements identified in Section 2.2 of this document 

• Plan and execute all work in compliance with the stated objectives and requirements contained in the 
CHSTP Safety and Security Policy Statement] Contractor’s SSHASP and SSSP; contract provisions; 
applicable federal, state and local laws, regulations; and industry consensus standards 

• Ensure all subcontractors, suppliers, etc. are provided with a copy of the CHSTP Safety and Security 
Policy Statement, and Contractor’s SSHASP and SSSP, and are properly informed of their 
obligations with regards to compliance. 

• Participate in and support applicable safety and security certification processes as identified in 
Section 1.25.5 of this contract. 

• Designate one or more persons as the safety and security representatives responsible to ensure the 
proper implementation of the SSHASP and SSSP respectively. Identify the response plan for the 
representative(s) and reporting responsibilities. The representatives will have sufficient knowledge 
and experience to demonstrate competency for applicable subject matter. The minimum 
qualifications shall be five years of diversified construction health and safety experience, 30 hour 
OSHA outreach Construction Training card, competent person training certifications for trenching and 
excavations, confined space entry and rescue (as applicable), tunnel construction and ventilation (as 
applicable), fall protection, certification as a Construction Health and Safety Technician (CHST), 
Certified Safety Professional (CSP), or Certified Industrial Hygienist (CIH), and two years experience 
related to the Contract scope of work. The qualifications of proposed safety and security 
representatives shall be submitted to the Authority for review and approval 30 days prior to field work 
taking place. 
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• The contractor shall be responsible for obtaining permits from the California Division of Occupational 
Safety for the following: 

Erection or demolition of any building, falsework, scaffolding, or structure the equivalent 25 feet or 

higher. 

Performing any work related to hazardous materials. 

Performing any work subject to Cal/OSHA Tunnel Safety Orders. 

Permits will be kept on file at the work site and available for immediate review upon request by the 
Authority. 

• For any engineering or construction equipment (such as drills, cranes, concrete pump trucks, back 
hoes, and the like) that could encroach into the operating right-of-way of other railroads, the 
Contractor shall comply with the requirements of the other railroads including obtaining permits and 
taking the necessary precautions to be taken to preclude any accidental encroachment of the right-of- 
way. Encroachment shall be as defined by the other railroads and may include equipment such as 
cranes which could swing into or fall into the right-of-way. The Contractor will comply with the safety 
requirements specified by the adjacent railroad for work in and adjacent to other railroad's rights-of- 
way. 

• For any engineering or construction equipment (such as drills, cranes, concrete pump trucks, back 
hoes, and the like) that could encroach into operating public right-of-way, such as streets and 
highways, the Contractor shall submit and obtain Authority Representative’s approval and approval 
from local authorities having jurisdiction over the public right-of-way of a plan describing the use of 
such equipment and the precautions to be taken to preclude any accidental encroachment to the 
operating right-of-way. Encroachment shall be understood to include equipment such as cranes 
which could swing into or fall into the public operating right-of-way. The Contractor shall comply with 
the safety requirements of the local authorities having jurisdiction over the operating right-of-way for 
work in and adjacent to that right-of-way. 


1.4 Site-Specific Heaith and Safety Pian Eiements 

The safety processes, equipment utilized, and personnel assignments to be provided by the Contractor at 
each work site may differ based upon a site-specific Job Hazard Analysis (JHA) performed by the 
Contractor. The Site-Specific Health and Safety Plan shall include, but not be limited to, the following 
elements: 

• Safety and security policy statement 

• Identification of the makeup, reporting structure, and inter-action processes of the 
Contractor’s Site Warranty Service Team, including the Contractor’s Safety 
Manager, with the rest of the project work force (including sub-contractors and the 
Authority), and with third-parties such as emergency responders, utilities, and 
adjacent railroad operators 

• Identification of roles and responsibilities of all employees for the Contractor and 
subcontractors with respect to safety 

• Process for managing hazards or incident of injury or damage through identification, 
reporting, and correction or abatement or mitigation, including descriptions for 
processes and applicability of Job Hazard Analyses 
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• Procedures for work site safety audits and inspections, including assignment of 
responsibility, frequency, documentation method, and actions following various audit 
results 

• Employee communication program that identifies individual responsibilities for all 
employees, schedules for specific communication techniques, and a process for 
recording and tracking communication program performance. The employee 
communication program will include but not be limited to: 

• Job briefing procedures/requirements 

• Hazard communications (HazComm) 

• Empioyee safety committees 

• Project safety committees 

• Notification to empioyees and the Authority of incidents or hazards when identified 

• Site-specific workplace health and safety rules and procedures that conform to 
regulatory requirements of local, state, and federal occupational safety and health 
regulations, including but not limited to California Code of Regulations Title 8 
Construction Safety Orders, Federal Railroad Administration regulations 49 CFR 
200-299, California MUTCD, the Contractor’s corporate safety plan, and the CFISTP 
Safety and Security Policy Statement. Rules and procedures must address site- 
specific work activities and conditions including but not limited to: 

• Personal protective equipment for all work site hazards and conditions, including equipment 
issuance/availability procedures. 

• Mobile equipment operation procedures and training program, including qualification process and 
requirements, and performance observation/evaluation requirements. 

• Fall protection and scaffolding procedures, including minimum fall protection equipment 
requirements, a process for training workers, and performance observation/evaluation 
requirements. 

• Motor vehicle operation program, including rules and procedures for specific equipment to be 
used at the work site (including industrial lift trucks), operator screening and qualification process 
and requirements, and performance observation/evaluation requirements. 

• Roadway worker protection (on-track safety) for Authority right-of-way in compliance with FRA 
regulations contained in 49 CFR Part 214. 

• Hazardous materials handling and storage plan specific to each work site, including a plan for 
cataloguing Material Safety Data Sheets and submitting same to the Authority, and for 
communicating MSDS information to employees. 

• Lockout/tagout programs for all applicable energy sources, including but not limited to electrical, 
hydraulic, and kinetic. 

• Fire prevention and suppression plan, including procedures for identification of hazards that could 
lead to fire, procedures for local fire suppression and notification to authorities, inspection 
processes, and a detailed training and exercise program. 
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• Safety and security program training requirements and documentation inciuding training 
curricuium, frequencies of and method of deiivery for training, training records and iists of 
quaiified/competent persons for specific tasks. 

• Roadway worker protection for adjacent raiiroad right-of-ways. Empioyees working in these 
iocations shaii be trained by the Contractors to ensure they become fuiiy famiiiar with raiiway 
operations, procedures, ruies, and safety requirements; and a daiiy Jobsite Hazard Anaiysis 
(JHA) shaii be conducted. 

• A plan for coordinating roadway worker protection activities and compliance with 
adjacent railroads. All Contractors working in the shared corridor will meet frequently 
with the responsible representatives of the operating railway and coordinate 
activities to minimize risks and hazards to Contractor personnel, and to avoid 
hazards or disruptions to the operation of the railway. 

• Work site first-aid resources and a training program for employees. 

• An Emergency Response Plan for management of emergency situations associated 
with, but not limited to, the following: injury to an employee or member of the public; 
fire; flood; earthquake; property damage and damage to various utilities (such as, 
electrical, gas, sewage, water, telephone or public roadways); public 
demonstrations; acts of sabotage including threats of sabotage; hazardous materials 
encountered; toxic spills; explosions; vehicular accidents; and confined space 
rescues. The Emergency Response Plan shall be updated when conditions or 
procedures change. The Emergency Response Plan shall include the following: 
items, at minimum: 

- Identification of the person responsible for handling an emergency. 

- Establishment of teams for handling each type of emergency. 

- Identification of the person responsible for making emergency call (preferably the 
ranking Supervisor present). 

- The requirement to conspicuously post a list of an emergency phone numbers, 
along with information to be transmitted. Include with the emergency phone 
numbers, the number of the Authority representative to be contacted. Request 
telephone number and name of Authority contact person or persons from the 
Authority Representative. 

- Trench and confined space rescue plan or tunnel evacuation plan, as applicable. 

- The procedure for contacting the Authority Representative when an incident of 
emergency response occurs. 

- Scene management for the emergency response including procedures for 
ensuring the safety of employees and emergency responders, safeguarding the 
scene from unwanted entry, and handling on-scene media. 

• A plan for ensuring public safety at work sites and avoiding damage to public 
property. The public shall be considered as any persons and property not employed 
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or owned by the Contractor or its Subcontractors. The plan must address site- 
specific work activities and conditions including but not limited to: 

• Identification of potentiai hazards to the pubiic 

• Erection and proper warranty service at aii times of aii necessary safeguards for the protection of 
the pubiic, inciuding pedestrian and vehicie traffic, and the assignment of trained and competent 
flaggers whose soie duties shaii consist of directing the movement of pubiic traffic through or 
around the Work site 

• Posting of signs warning against the hazards created by warranty service activities 

• Eiimination of unnecessary noise, obstructions, and other annoyances to nearby residents and 
businesses 

• Procedures and competency training for empioyees assigned to pubiic safety and pubiic property 
protection 

• Designated work zones. Work outside of the designated work zones shaii be performed oniy 
when specificaiiy stated in writing from the Authority Representative. 

• Other elements that conform to the Contractor’s corporate health and safety plan. 

1.5 Site-Specific Security Pian Eiements 

Security at construction sites is to ensure all personnel working at the site, and the 
surrounding communities, are protected from crime and security-related conditions. 

This includes protection of materials, tools, equipment and personal property of workers 
at sites. Each construction site will vary, from type of equipment, machinery, materials 
and tools to adjacent public and private areas and local zoning ordinances. The types 
of security to be provided by the Contractor at each construction site may differ based 
upon a site-specific security assessment performed by the Contractor. The Site- 
Specific Security Plan shall include, but not be limited to, the following elements: 

• Safety and security policy statement 

• Identification of the makeup, reporting structure, and inter-action processes of the 
Contractor’s Project Management Team, including the Contractor’s Security 
Management Team, with the rest of the project work force (including sub-contractors 
and the Authority) and with third-parties such as local law enforcement agencies. 

• Identification of roles and responsibilities of all employees for the Contractor and 
subcontractors with respect to security. 

• Protection of the public and property, materials, equipment and tools through the use 
of fencing, access control, locks, alarms, intrusion detection, lighting, and security 
guards as necessary, and any other security requirements that may be applicable. 

• Personnel security program including employee background requirements, a code of 
conduct and expectations for employee behavior, and procedures for internal and 
external notification when personnel security is violated. 
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• Access control program to identify authorized persons for each work site, 
procedures for authorizing new employees or visitors, and procedures for monitoring 
access control performance. 

• Plan for coordination with local law enforcement for incident reporting, traffic control 
and other security related conditions or events. 

• Other elements that conform to the Contractor’s corporate security plan. 
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